xnLinkFinder is a great tool that can extract links for a given target. It can consume a URL, local files or Burp/OWASP ZAP project file. Personally, I start with all the links from Burp’s sitemap and wayback machine. I download all these files to then feed them to...
#33
Secrets of automation-kings in bug bounty
Jason Haddix shed some light on the way he finds exploits that can be automated and scanned across a lot of targets. If you think about using automation and creating your own templates but you don’t know how to find bugs to reproduce, this thread is for you....
Finding RCEs JVM-based languages
I feel it’s profitable to find bugs by reviewing the code of decompiled jar, war or class files. Technologies like Groovy or Scala are Java-related languages but you will omit command execution sinks in them if you are only looking for Java’s Runtime [.] getRuntime()...
Modern OAuth account takeovers
Frans Rosen made some research lately about the security of OAuth flows. He had a very interesting idea which resulted in a bunch of account takeovers. The article is quite long, as per Grammarly, 27 minutes of reading. However, I created a summary for you with the...
Is hacking legal?
Is hacking legal? Of course, we know that bug bounty is. But what about hacking other websites? I’m sure that, at least once, you saw a numeric identifier somewhere and you changed the URL parameter to another number, even though you weren’t actively hacking there. Or...
Reversing patches and creating exploits
Reversing patches is a very useful skill because often, companies will only tell you what the bug class was and not how to reproduce it. Thus, if you want to, let’s say, create your own scanner template for a CVE, you need to reverse a patch. And that’s what you’ll...