A thread🧵
💸Secrets of automation-kings in bug bounty💸
Finding 1day (or 1month) web exploits that haven't made their into scanners yet can make you big money.
Read more to understand where and how to get an edge in this area!
🚨Retweet, follow, & like for more! 🚨
1/x
💸Secrets of automation-kings in bug bounty💸
Finding 1day (or 1month) web exploits that haven't made their into scanners yet can make you big money.
Read more to understand where and how to get an edge in this area!
🚨Retweet, follow, & like for more! 🚨
1/x
A competitive advantage in bug bounty is being able to write your own vulnerability checks.
There are hundreds of COTS and OSS software that have vulnerabilities that never end up in a vuln scanner because of various reasons...
2/x
There are hundreds of COTS and OSS software that have vulnerabilities that never end up in a vuln scanner because of various reasons...
2/x
Maybe because the software isn't a big name like Microsoft or JIRA. Maybe the vendor & the reporter don't make any fanfare about the bug.
Whatever the reason, you can profit by making your own checks! This has never been easier with tools like @pdnuclei and Jaeles!
3/x
Whatever the reason, you can profit by making your own checks! This has never been easier with tools like @pdnuclei and Jaeles!
3/x
For Nuclei, you can create these templates using YAML and the Nuclei template guides here:
nuclei.projectdiscovery.io
4/x
nuclei.projectdiscovery.io
4/x
For Jaeles by @j3ssiejjj you can follow the documentation at:
jaeles-project.github.io
If you're unfamiliar with Jaeles, here's a quick demo:
youtube.com
6/x
jaeles-project.github.io
If you're unfamiliar with Jaeles, here's a quick demo:
youtube.com
6/x
I use nuclei for a lot of misconfiguration type checks and CVEs. I use Jaeles more for custom web fuzzing.
So now you know how to make a check... how do you know what to make?
Surprisingly Twitter can be one of the best intelligent sources for this!
7/x
So now you know how to make a check... how do you know what to make?
Surprisingly Twitter can be one of the best intelligent sources for this!
7/x
I'll walk you through how I and some others do this.
1st you'll need a separate Twitter account.
Once you have that head over to tweetdeck.twitter.com!
We're going to use Twitter live searches to find CVE's and exploits to make into templates for our scanners.
8/x
1st you'll need a separate Twitter account.
Once you have that head over to tweetdeck.twitter.com!
We're going to use Twitter live searches to find CVE's and exploits to make into templates for our scanners.
8/x
I have a column in TweetDeck that represents a live search for each vulnerability type in existence. For example, I'll get you started:
9/x
9/x
One of my columns is a live search for:
"local file include" OR "path traversal" OR "directory traversal" OR "arbitrary file read"
10/x
"local file include" OR "path traversal" OR "directory traversal" OR "arbitrary file read"
10/x
another is:
"Broken Authentication" OR "Authentication Bypass" OR "account takeover" OR "Sensitive Data Exposure"
I have over 30 live searches running in TweetDeck to update me on new CVE's, vuln classes, and writeups, which I can then port into vulnerability checks!
11/x
"Broken Authentication" OR "Authentication Bypass" OR "account takeover" OR "Sensitive Data Exposure"
I have over 30 live searches running in TweetDeck to update me on new CVE's, vuln classes, and writeups, which I can then port into vulnerability checks!
11/x
Another source of vuln intelligence in parsing Bugcrowds disclosures and Hackerone's hacktivity pages.
hackerone.com
bugcrowd.com
Read the writeups and if one seems like a good check or novel fuzz string, add it to your arsenal.
12/x
hackerone.com
bugcrowd.com
Read the writeups and if one seems like a good check or novel fuzz string, add it to your arsenal.
12/x
What's the UBER level of this?
I know two hunters who pay for subscriptions to Threat Intelligence feeds as an upfront cost. These feeds often have inside info on CVE endpoints that are not public yet, including PoC fuzz strings. They make templates from them and profit.
13/x
I know two hunters who pay for subscriptions to Threat Intelligence feeds as an upfront cost. These feeds often have inside info on CVE endpoints that are not public yet, including PoC fuzz strings. They make templates from them and profit.
13/x
With a constant, automated, scanning routine you can build a monster vulnerability scanning machine!
You should look into Axiom by @pry0cc as the glue that can scale an operation like this 😉😉😉:
14/x
youtube.com
youtube.com
You should look into Axiom by @pry0cc as the glue that can scale an operation like this 😉😉😉:
14/x
youtube.com
youtube.com
That's it for now, did I miss anything?
A full and expanded blog with MORE & ALL links for this thread will be on my blog in a few days:
jhaddix.com
✌🏻For more resources follow, retweet, & like!✌️
15/x
A full and expanded blog with MORE & ALL links for this thread will be on my blog in a few days:
jhaddix.com
✌🏻For more resources follow, retweet, & like!✌️
15/x
I didn’t mention THIS one earlier… there’s also a great market for bypasses to fixes for bugs!
Get good at bypassing simple XSS and SSRF protections :)
Get good at bypassing simple XSS and SSRF protections :)
Loading suggestions...