When you know how to read code, you have superpowers. Don't be a script kiddie!👇

(mass account takeover writeup)

1. By reading JS code, @by6153 was able to login into anyone's account without credentials.

2. Then he learned that "/admin/dashboard" was accessible for authenticated users but doesn't check if the user is an admin or a normal user.

3. Then from "User Management" section, he was able to create admin accounts.

4. Read the full write-up here: https://z-sec.co/mass-account-takeover

#pentesting #appsec #infosec #cybersecurity #hacking #bugbountytips #bugbounty #ethicalhacking

When you know how to read code, you have superpowers. Don't be a script kiddie!👇

Tips and tricks for IDOR hunting. by @InonShkedy 👇

1. Object IDs in URLs tend to be less vulnerable. Try to put more effort on IDs in HTTP headers / bodies.

(my emphasis) Also, look for other non-ID parameters used as identifiers.

2. GUID instead of numeric values? Don’t give up!

Use the “session label swapping” technique or find endpoints that return IDs of objects that belong to other users.

(my emphasis) Basically, test using multiple accounts.

3. Always try numeric IDs. 

If an endpoint receives a non-numeric object ID, like a GUID or an email address, try replacing the GUID/email with a number.

(my emphasis) Also, try replacing it with "*".

4. Received 403/401 once? Don’t give up!

It’s not extremely common, but some weird authorization mechanisms only work partially. 

Try many different IDs. For example: if the endpoint “api/v1/trips/666” returned 403, run a script to enumerate 50 random IDs from 0001 to 9999.

5. Find the most niche features in the application. 

(my emphasis) And that's usually miles away from the main functionalities of the app.

With these features, developers might not have thought through authorization properly.

6. I modified the original text of @InonShkedy a bit to fit into Twitter's reqs. Read it entirely below.

Any other API tips that you know of? Comment 👇

#pentesting #appsec #infosec #cybersecurity #hacking #bugbountytips #bugbounty #ethicalhacking 
https://inonst.medium.com/a-deep-dive-on-the-most-critical-api-vulnerability-bola-1342224ec3f2

How to Increase your Luck Surface Area Fast [Practical Guide] 👇 

7. Read the entire post below. Inspired by @swyx.

https://cristivlad.substack.com/p/be-more-lucky

How to Increase your Luck Surface Area Fast [Practical Guide] 👇

Paid features for free. Story of another bug.👇 

1. In one of the pentests I'm currently doing, there is a web application with multiple pricing tiers, including a free account. I've been also provided with a premium account.

2. What I usually do is parallel testing of the two accounts, at least as follows:

- visual: features are included in both vs the paid account only
- dynamic: manipulating requests to circumvent access controls, usually via proxying
- hybrid: a combination of both or more

3. In this case, I decided to start lightly, in the browser. I tried accessing a paid feature in the free account. I got presented with a pop-up to "upgrade to continue". I couldn't click anywhere else on the page.

4. Let me just, right-click, Inspect Element, and modify this div to class="none". There!

Now I can use this premium feature for free.

5. The moral of the story: 

Always enforce access controls in the backend.

6. Have you found something similar? Tell me below. 

Like, retweet, and follow me for more cyber stuff.

#pentesting #appsec #infosec #ethicalhacking #hacking #bugbounty #bugbountytips #cybersecurity

Paid features for free. Story of another bug.👇

1. A few days ago I found some time for bug hunting, as I said in my previous newsletter at http://cristivlad.substack.com which I post every week.

2. I keep getting private invites on @intigriti and a few other platforms.

3. I took a program that was just launched, and I did not want to go deep at first. It is wide-scope, so I focused on recon. A large chunk of my recon methodology is in my Recon course. Look it up if you're interested.

4. I took a generic approach, doing subdomain enumeration, then I fuzzed for interesting files on all domains.

5. I filtered for 200 OK and looked up the results with interesting lengths.

6. One of them was a .yml file in the root of a subdomain. It was loaded with credentials and configs.

7. I didn't submit a report right away because:

- it was late evening and I preferred going to sleep
- I thought it had already been reported

8. I submitted the report the next day; and a day later, to my surprise, it got accepted and I got $800. 

- no further questions asked, no back and forth
- straightforward professional triage

I'll be looking more into it daily; usually, after I finish my pentests.

9. Can you share similar bug stories in one tweet? Comment 👇. 

Like, retweet, and follow me for more cyber stuff.

#pentesting #appsec #infosec #redteam #ethicalhacking #hacking #bugbounty #bugbountytips #cybersecurity

Story of an uninteresting bug.

Here's a 5 bullet point methodology for finding XSS. 

I don't like XSS but I must look for it as part of the pentests I perform for clients.👇

1. Perform source code review

Most pentester and bug hunters don't. And you don't need to be a top coder/developer to do code review.

2. Identify entry points and user-controllable inputs

Also, look for sources and sinks.

3. Perform black box testing with manual input

This works synergistically with #1.

4. Use automated scanning tools to detect potential XSS vulnerabilities.

You might clear out many low-hanging fruits. Mostly in pentesting, very unlikely in bug bounty hunting.

5. Leverage browser tools like DevTools or Burp Suite to identify potential XSS.

Very few professionals use DevTools. Use it to gain a competitive advantage.

6. What would you add to this small methodology?Comment👇

Like, retweet, and follow me for more cyber stuff.

#pentesting #appsec #infosec #ethicalhacking #hacking #bugbounty #bugbountytips #cybersecurity

Here's a 5 bullet point methodology for finding XSS. 

1. How I'm working on an AI - Cyber project.
2. A typical Day in the Life
3. Pay $0 =&gt; get nothing
4. Private bounties at @intigriti. 

All this and more, in this week's blog 👇 

You can read all about it here: https://cristivlad.substack.com/p/insiderweekly-8

#pentesting #appsec #infosec #ai #cybersecurity #nlp #hacking #ethicalhacking #bugbounty #machinelearning

Insider Weekly #8

Great compilation of cheatsheets by @iam_amdadam, all in one place.👇

1. Recon workflows

- from very detailed to a very simple workflow 

2. Notes from The Bug Hunter Methodology by @Jhaddix 

3. Notes from The Bug Hunter's Methodology - Application Analysis 

5. Mobile, API pentesting &amp; much more. See below by @iam_amdadam 

Do you know others? Comment 👇

Like, retweet, and follow me for more cyber stuff.

#pentesting #appsec #infosec #cybersecurity #hacking #ethicalhacking #bugbounty #bugbountytips

https://docs.google.com/spreadsheets/u/0/d/1TxNrvaIMRS_dmupcwjwJmXtaFk_lPGE1LzgxPu_7KqA/

Great compilation of cheatsheets by @iam_amdadam, all in one place

227 Red Teaming tips, by @vysecurity. Here's a few 👇

1. Taking a snapshot of AD can let you browse, explore and formulate future attacks if access is lost momentarily.

2. You dont need payloads when you can phish credentials and login to Citrix, VPN, email with no 2FA. Check the perimeter.

3. Need a DC? echo %LOGONSERVER%. Need a list? nltest /dclist, nslookup -q=srv _kerberos._tcp (domain suffix can autocomplete)

4. Need to sweep for uptimes? Use wmic /node:"" OS get LastBootUpTime in a for loop

5. Check the entire list by @vysecurity below.

Do you have other tips? Comment 👇. Like, retweet, and follow me for more cyber stuff.

#pentesting #appsec #infosec #redteam #ethicalhacking #hacking #bugbounty #bugbountytips #cybersecurity

https://github.com/vysecurity/RedTips

227 Red Teaming tips, by @vysecurity

I got some free coupons for the Burp Suite course 👇 

1. Go to https://cristivlad.substack.com/ and subscribe to the newsletter for free.

2. The welcome email contains your coupon. It takes up to 10 minutes to receive the welcome email, so please be patient. 

There are only a limited number of coupons, so when they run out, the welcome email is not going to contain coupons.

3. I'd appreciate a review, or at least a rating once finished. Don't be just a taker!

And please finish the course, otherwise it wont look good on your resume!

#infosec #pentesting #appsec #cybersecurity #bugbounty #bugbountytips #hacking #ethicalhacking