Mark Dowd presented a great keynote at OffensiveCon22 titled “How do you actually find bugs?”. He talked a lot about the mindset and problems that security researchers encounter. I think there are a lot of tips we can learn from it. Here are my notes. The mindset To...
Articles by Issue
xnLinkFinder
xnLinkFinder is a great tool that can extract links for a given target. It can consume a URL, local files or Burp/OWASP ZAP project file. Personally, I start with all the links from Burp’s sitemap and wayback machine. I download all these files to then feed them to...
Secrets of automation-kings in bug bounty
Jason Haddix shed some light on the way he finds exploits that can be automated and scanned across a lot of targets. If you think about using automation and creating your own templates but you don’t know how to find bugs to reproduce, this thread is for you....
Finding RCEs JVM-based languages
I feel it’s profitable to find bugs by reviewing the code of decompiled jar, war or class files. Technologies like Groovy or Scala are Java-related languages but you will omit command execution sinks in them if you are only looking for Java’s Runtime [.] getRuntime()...
Modern OAuth account takeovers
Frans Rosen made some research lately about the security of OAuth flows. He had a very interesting idea which resulted in a bunch of account takeovers. The article is quite long, as per Grammarly, 27 minutes of reading. However, I created a summary for you with the...
Is hacking legal?
Is hacking legal? Of course, we know that bug bounty is. But what about hacking other websites? I’m sure that, at least once, you saw a numeric identifier somewhere and you changed the URL parameter to another number, even though you weren’t actively hacking there. Or...
Reversing patches and creating exploits
Reversing patches is a very useful skill because often, companies will only tell you what the bug class was and not how to reproduce it. Thus, if you want to, let’s say, create your own scanner template for a CVE, you need to reverse a patch. And that’s what you’ll...
GitLab Security AMAs
GitLab bug bounty program is so cool they make AMAs with their top hackers. In this playlist on YouTube, you can hear from great hunters covered on my channel like Alex Chapman, William Bowling and Johan Carlsson. It’s always worth hearing what these guys have in...
Salesforce SOQL injection resources
Jason Haddix asked on Twitter for some tips about SOQL injection in Salesforce and there are some great resources linked there. I haven’t been hacking Salesforce for a while now but I remember from my pentesting days that it’s been an absolute mess so I want to have...
SVG cheatsheet
Allan Wirth created a cheat sheet with possible things you can try when working with SVG files. Importantly, XSS isn’t the most you can do with it because sometimes, the server processes the file and then it may be susceptible to SSRFs, LFIs and even RCEs....