I finally did it!! $100K+ on
@Bugcrowd
platform 🥳 $70K+ coming from last 8 Months, I really levelled up my game. From where I started this means a lot to me
@Bugcrowd
: )
Thanks to many of you, who always given me positive energy.
That’s it, Just hit the 21950$ in last 30 days from
@Bugcrowd
alone 🤩 I have kept 2022 Q1 goal as $20k for 3 months but fortunately reached in 1 month. I will continue sharing my finds/thoughts via tweets here.
#bugbounty
#bugcrowd
#infosec
Just received 4000$ bounty and crossed +15000$ mark in last 30 days in 🧡
@Bugcrowd
Please note I haven’t found any P1 bug, so please don’t worry too much abt P1’s and focus on what you are good at and you will get there : )
#bugcrowd
#bugbounty
When you upload image on target, always check if website exif data is leaking any sensitive data
1. Upload image on <Target>
3. Copy&Paste image address in
4. Report if you find any sensitive data like location,IP address etc,.
#bugbountytips
#BugBounty
Time based SQLi -> forgot password Endpoint 😇
1. Payload used: '%2b(select*from(select(sleep(20)))a)%2b'
2. Endpoint: /Forgot password
Cheers 🍻
Do share your story in comments if you got SQLi at weird endpoints 😁
#bugbounty
#bugbountytips
#infosec
#SQL
#hackershack
I’ve made total 12400$ in first month of 2021 and many being still in Triaged state 🧡 Thanks to god and thanks to everyone who encouraged me with positive words. Although I’m still a noob, I will try to share as much good content as possible 😇🙏🏼
#bugbounty
#thankyou
SQL Automation:
1. Use waybackurls/gau to get all possible url's
2. Use GF tool to filter SQL parameters [Create your own pattern for SQL] & save as allsql.txt
3. Send filtered url's to Sqlmap - python -m allsql.txt --batch
#bugbountytips
#bugbounty
Found another SQL injection vulnerability in login page today. After hours of recon landed on and the payload didn’t work when I injected in email input box but worked in email parameter of login request. Weird 😅
#bugbountytips
#bugbounty
#sql
#infosec
I just published a writeup on vulnerability type which I always thought is just theoretical in real life scenario. This writeup is on ‘Websocket Hijacking’ to steal Session_ID of victim users
#bugbountytips
#bugbounty
#infosec
#hackerone
#bugcrowd
Golden words that changed my hunting style:
1. “One should understand target better than the one who developed it” -
@NahamSec
interview with
@ngalongc
2. “Stick to single target for finding critical bugs” -
@_jensec
Hope this helps you too 🧡 spread positivity 😇
#BugBounty
It’s around 2:30 AM. Got 400$ so far today. Thought of signing off but out of curiosity refreshed the payments page and upcoming payments went by 8900$. I was in shock!! Only after reading mail I understood 🤩
#bugbounty
#bugcrowd
Is awesome!! 🧡
I was about to close my lappy yesterday around 3 AM. I don’t know why all of a sudden I’ll see loopholes then 😂 Got a 403 Bypass using “X-Original-URL”
Host: <redacted>.com/secure
..
403
Host: <redacted>.com/test/
X-Original-URL: /secure
..
200 OK
#bugbountytips
#bugbounty
IDOR(ATO) + PII - Duplicate!
1. Login > Add new user
2. Click on “edit” invited user > capture request in burp
3. Replace invited users ID with any other users ID
4. Update email > send
5. Email updated(ATO) for other user+ PII disclosure in response
#bugbountytips
#bugbounty
Found ATO just now!
1. Found Open redirection in sign in endpoint
2. Enter attackers server (I’ve used ngrok server) and tried to sign in using OAuth flow
3. OAuth code disclosure in attackers server logs
4. ATO!! 🔥🧡
#BugBountyTips
#bugbounty
#hackerone
Want some motivation? I’ve read stories of:
1. People hacking on mobile phone coz they couldn’t afford laptop and later blessed to buy a laptop 🧡
2. People working 16 hours a day
3. 6 digit rank to 3 digit rank.
Thanks for inspiring me. Motivate yourself!
#BugBounty2021Goals
When you are searching for IDORs focus on download(csv,pdf,etc) endpoints. Many times I found cool IDOR’s at these endpoints : )
#bugbounty
#bugbountytips
Last year I set a goal of earning 25000$ in bounties for 2020. That’s a big goal for me based on 2019 bounties and keeping in mind that I’ve a full time job. I am so proud that I’ve completed my goal in 5 months and also ending my year at 47500$. Thanks to god,family&myself 🧡
IDOR - P1
Attackers able to fetch order details of any user.
* Captured a request like this in Burpsuite: /xyz?reservation_id=GUID
Difficult to guess other users reservation GUID.
* Manipulated like this: /xyz?order_id=<6 digit ID>
#bugbounty
#bugbountytips
#bugcrowd
When I started my bugbounty days I used to get many silly questions like how pro bugbounty hunters remember all the commands for tools,what attack?etc., Just wanted to let u all know it’s common, no one can teach u this except practice,just keep calm and practice : )
#bugbounty
Non-admin user can view role permission but cannot enable them. I inspected element and removed “disabled” from front end and able to update role permissions successfully. Will drop a writeup on this.
#bugbountytips
#bugcrowd
#bugbounty
After a long break, back to bug bounties and last 2 weeks went really well. I focused on single target for long time and the results are good!
#bugbounty
#bugcrowd
1. Testing an instance accessable to only employees through Login
2. Analysed source code and found a js file: /scripts/app-847d3aae5c.js
3. Used "LinkFinder tool" to check for endpoints
4. Found two endpoints disclosing admin and store details without authentication.
#bugbounty
Admin panel access:
1. Found a subdomain like this: admin.staging.<redacted>.ph
2. It’s directly asking me to signin using google OAuth > proceeded with signin
4. Voila!! it accepted me as admin and showing all developers details,merge requests etc.,
#bugbounty
#bugbountytips
Since my first day of joining on
@Hacker0x01
@jobertabma
I’ve submitted many reports to Hackerone and end result is always a Dup/informative. I didn’t give up and today I got my first valid find on Hackerone 🧡 This hits different
#bugbounty
#nevergiveup
1 Year for this cool bug I found in
#hackerone
private program. Got a reward of 4913$ for the same. Many of us ignore Oauth flows, but if you dig deep you can find ATO's 😁 I will try to publish a writeup soon on this
#hackerone
#bugbounty
#bugbountytips
#infosec
3rd P1-IDOR in last 18 days! 🥳
Similar to my previous finding, found another endpoint which discloses reservation details using "reservation_id" value [lengthy, alphanumeric]. I replaced that with "order_id" [6-8 digit numeric value]
#bugbountytips
#bugcrowd
#bugbounty
Simple trick like this can get you a valid find. How many of you check this? Read privacy terms of target.
And yes it’s just a P4 so what!? You still helping company security to get better. (severity can be high when you are targeting big company 😉)
#bugbountytips
#bugbounty
Another P1 from the same private program. I guess if you find 1 IDOR/BAC in a program, you might find many
: )
No special technique, same as my previous findings mentioned before in my tweets.
#bugcrowd
#bugbounty
#Bugbounty
#goals
2024:
This year has been a lazy hunting season in bug bounties but will pick up the pace in 2024.
1. Make $150K+ bounties
2. For the First time collaborate with other researcher.
3. Share more write-ups and bugbounty tips via Twitter!
Hopefully I’ll make it!
When you are targeting e-commerce or Food ordering domains parameter tampering is a must. Updated quantity value to fraction value and able to order 45$ burger for just 0.45$. Finally this one got resolved. Writeup soon! : )
#hackerone
#bugbountytips
#bugbounty
#infosec
Iam not a bug bounty hunter because I love money. I’m a bug bounty hunter because I love being able to cancel all of my plans whenever I want to spend the day with family or myself 😇
#bugbounty
After a long break it took me almost 2 weeks to get back in streak. Hope I’ll continue this.
“agentid” variable in a graphql request is vulnerable to IDOR attack, resulting in viewing any agent details from any organisation.
#bugbounty
#bugcrowd
Earned 7900$ (+1500$ for still triaged one) for reporting multiple vulnerabilities 🧡 This one is special bcoz I worked even on new year nights for this.
Suddenly payoutrange was decreased otherwise would have cracked a big one but still happy 😇
#bugbounty
#bounty
#infosec
While hunting on this target, one specific role user is not allowed to login or access target directly but only via subdomain of that target. On further research, I found a cross instance IDOR on that subdomain with critical PII Leakage. I will drop a writeup soon.
#BugBounty
Unprivileged user able to fetch UUID of other users from this endpoint: ``/api/v1/REDACTED/subordinate_employees.json``. Copy paste the disclosed UUID in another vulnerable endpoint ``
https://target.tld/UUID``
to fetch full PII information.
#bugbounty
#bugbountytips
Just got
#Triaged
1. Found Blind SSRF in signup form.
2. Port scanning possible by observing the server response time.
I tried escalating this to fetch other sensitive data but failed if you have any write-ups plz do share. Good day!
#bugbounty
#bugbountytips
#bugcrowd
I found a vulnerability in private program, to use premium plan forever by downgrading the free premium plan on 29th day [out of 30 days free trial] and again upgrading to free premium plan on same day and getting another 30 days free premium trial
#bugbounty
#bugbountytips
Closing this weekend with another P1. IDOR attack able to read any conversation thread on the platform disclosing some private messages and PII details of all users part of conversation.
#bugbounty
#bugcrowd
#bugbountytips
P1 bounty in bday month is always special 🧡
Simple IDOR attack by enumerating the Order ID value. One endpoint closed as duplicate. I did further research and found another endpoint fetching the order details. lucky me not dup this time : )
#bugbounty
#bugcrowd
Sometimes you just gotta be smart 😂
1. Victim set SMS notifications off
2. Target has a flaw where anyone can add any users phone number
3. Attacker adds same phone number > Activate SMS notifications
4. Victim continues to receive SMS notifications
#bugbountytips
#bugbounty
"Is programming mandatory to do Bug bounties?" Since this is a common question everyone is sending via DM,I would like to reply here-"No, in the beginner stage programming is not required, basic would be more than enough but to find major security loopholes you need to
#bugbounty
Stored Blind XSS story: When your bug bounty program gives you test credentials, still don’t forget to fill-up new business signup forms,demo forms etc., I filled one such form and got Stored Blind XSS after couple of days.
#bugbountytips
#blindxss
When user trying to update password, the request is not protected with csrf but asking for current password. This time tried signup via OAuth, now for password change current password is not required. CSRF attack to update password 🔥
#bugbountytips
#bugbounty
As I always say don't worry too much about finding Critical/P1's. Try to break stuff to find cool bugs : ) I just published short writeup which falls under this category I found similar issues in multiple programs thought its good to share with you guys.
Although I found many valid finds on
@Hacker0x01
platform. Since my joining I always failed to find a valid non-duplicate find one Hackerone. I did it last night and I’m happy : )
#hackerone
#bugbounty
Why analysing source code is Imp.:
1. Testing subdomain where signin/signup options not visible in UI
2. Used Linkfinder to find endpoint:"/profile"
3. <target>/profile took me to signup/Signin page
4. Found application wide CSRF including email update
#bugbounty
#bugbountytip
Useless endpoint to RXSS:
1. Used Linkfinder to check if I can find any sensitive endpoints
2. Ended up finding this: "php/terms/view?liso=<somethingsomething>" but no sensitive data exposed but one of the parameter is vulnerable to Reflected XSS.
#bugbounty
#bugbountytips
Another P1! Algolia Misconfiguration issues are still out there. Check the permissions allowed for the disclosed Algolia API key and show them the Impact.
#bugbountytip
#bugbounty
#bugcrowd
Thanks for the 4K love. A btech boy who is completely clueless of what he is doing in college to till now, It’s a long journey. I’m extremely fortunate to make 4K family on Twitter. I’ll continue to be helpful for others with my little knowledge. Jai hind 🇮🇳
#bugbounty
Always check if you can increase the impact before reporting. I escalated the severity by showing how I can change admin details and fetch sensitive data using console.
#bugbountytips
#bugbounty
#hackerone
When you see a complex website don’t ignore immediately(I used to do it back then). Focus on your strengths first, my strengths are Access control,business logic,Authentication issues. Once you do that then you will get confidence to test other attacks.
#bugbountytips
#bugbounty
When you are testing E-commerce websites, try to find any expired discount/coupon codes and check if they are still working. I found couple of codes via Google dorking which are supposed to be expired by now, reported via h1 and got rewarded today.
#bugbounty
#BugBountyTip
“Don’t ever let someone tell you, you can’t do something. You got a dream, you got to protect it. You want something, go get it. Period!” - 👏🏼 My fav dialogue from Pursuit of Happiness 🧡
Quick suggestion to beginners: For XSS related bugs first check with html payload. Don’t go directly with injecting XSS payload because sometimes if one payload didnt work we simply skip further testing. In this case you can atleast end up reporting HTML injection/SSTI bugs : )
I’m shocked to see a recent fake bounties news in twitter but plz try not to highlight their name/image, Although I’m completely against of this fake screenshots thing attracting beginners but we should be little sensitive about such matters - “Just my opinion”
#BugBounty