After almost 6 years in
#bugbounty
, I am VERY excited to announce that starting tomorrow, I will be doing Bug Bounty / Consulting FULL TIME! That's right, today is my last day at Elastic.
I am super grateful for everything I accomplished while working at Elastic, but being
Had an absolutely stellar time at
@Hacker0x01
's
#h1305
! The
@CapitalOne
team was a real joy to work with, and Miami felt like just the perfect location.
As this was my 16th LHE, I was beginning to think I would never make MVH, but having a positive attitude, grit, and
Congratulations to
@ArchAngelDDay
for crossing the coveted $1M in bounties earned milestone on the HackerOne platform! 🙌
Archangel started bug hunting in 2018 and has worked hard to help organizations like
@CapitalOne
and
@github
protect their users and customers. Way to go!
When doing
#bugbounty
hunting, I struggle a lot with decision paralysis around what to hack on and when to pivot targets. I wrote up what I've been doing to combat this difficulty. Hopefully it helps you as well!
#togetherwehitharder
I have been waiting a year & a half to announce that I've been working at
@elastic
and running our bug bounty program on
@Hacker0x01
! As of today, our program is PUBLIC, so I can finally talk about it!
#bugbounty
hunters, go find me some bugs!
They key to my
#bugbounty
process is looking for "no"s. If the app says "No, you can't view that image", I look for a way to view the image. If the app says "No you can't modify that field", I look for a way to modify the field. Stop spamming xxs payloads and look for "no"s! :)
Finally hit 10,000 rep on
@Hacker0x01
! Appropriately it's been exactly 2 years this month since I created my account after watching
@NahamSec
give a talk at BSides Portland. Thank you so much
@Hacker0x01
for this opportunity! Here's to many more bugs!
#togetherwehitharder
Pay attention to your
@Hacker0x01
rep log at . Whenever you see a Dupe report get +2 reputation, it means the original report was just Resolved. Then retest your report to see if you can still repro. I've made a non-trivial amount this way.
#bugbountytips
I've been on both the
@hackerone
program side and the
#bugbounty
hunter side of frustrating CVSS discussions, so I gave some thought into what I think is the root of many of the frustrations, and how they might be circumvented. Read my thoughts here:
Wow! When I started doing
#bugbounty
a little under a year ago, I never thought I'd make it into the top 5 on the leaderboard! Thanks so much
@Hacker0x01
for this incredible opportunity. It's been a wild ride :)
Participating in
#h1702
will be my TWELFTH
@Hacker0x01
live hacking event! And in each event, I learn a lot. This even is no exception! For those not going, I'll list a few things /
#bugbountytips
I learned hacking during this event
🧵👇
Finally crossed 20,000 reputation on the
@Hacker0x01
platform after nearly 5 years :-)
Thank you so much for an amazing platform and the opportunity to help out so many organizations!
#togetherwehitharder
#BugBounty
#bugbounty
hunters who say they get motivated by the "Yay I earned X on
@Hacker0x01
" posts - what do you find motivating about them?
I totally get motivated by disclosed reports & write-ups, but random dollar amounts do nothing for me. Just want to understand your thinking.
Ive been a
#bugbounty
hunter for 5 years, been to 13 LHEs, and am ranked 33rd on
@Hacker0x01
s all-time leaderboard.
I JUST NOW learned how to use
@pdiscoveryio
s HTTPX (it's awesome).
Never get too proud to go back to the basics and LEARN like a beginner again.
#bugbountytips
If you have a good triage experience on
@Hacker0x01
, make sure you give them a positive rating! They are probably dealing with an overload of bad ratings from bad bug hunters :)
#togetherWeMakeTriagingBetter
Despite my usual LHE collabing, I think I'm gonna try going solo at the next
@Hacker0x01
LHE in Miami!
Gunning for that MVH! Who thinks I can do it?! 🫡🫡🫡
1 - Found an ATO that required knowing the victim's UUID
2 - Couldn't find a way to get the UUID
3 - Saw that
@Yassineaboukir
was also in the program
4 - Asked Yassine if he knew how to get the UUID
5 - He found a way to get the UUID
6 - Full ATO
#togetherwehitharder
#bugbounty
When sitting down for a
#bugbounty
hunt, set yourself a hard "no-bug" timelimit. If you reach this timelimit without finding any bugs, take a break and step away for a few hours. I've avoided many burnouts this way.
#bugbountytips
Success in
#bugbounty
is 50% metagame. Learn what bugs programs pay more for. Learn when to file similar bugs as one High and when to file them as separate Lows/Meds. Learn how to build a relationship with the program. Learn when to take a break and go outside.
#bugbountytips
After over 5 years of
#bugbounty
I finally achieved one of the most difficult badges on
@Hacker0x01
!
While I've filed almost 2000 reports, getting 500 reports closed as "Resolved" depends entirely on the programs fixing them _and_ marking the report as resolved
Glad that day
If an app locks you after X number of bad passwords, see if the attempt counter is case-sensitive on the uname. ie:
user
@domain
.com
User
@domain
.com
uSer
@domain
.com
usEr
@domain
.com
If so, the lockout goes from X pwds to (2^n)*(X-1) where n is the number of chars in your uname.
1/ Spend at least 30 minutes on a new target
2/ Look for “No”s
3/ Use Italics Tags in your inputs instead of XSS payloads
4/ Focus on SaaS apps that are multi-tenant
5/ Buy Burp Pro
On Jan 1, I set for myself a
#bugbounty
earnings goal.
On July 1, I met that goal.
On Sept 8, I earned 150% of that goal.
Today, I DOUBLED my
#bugbounty
goal.
Thank you
@Hacker0x01
for your incredible platform and this journey so far! Here's to more bugs!
#togetherwehitharder
I think 99% of disappointment from doing
#bugbounty
is unmet expectation. The next time you file a report, try to just forget about it. Then if you get a bounty, you'll be pleasantly surprised, and if you don't, you won't be any worse off!
#bugbountytips
Make several
@Hacker0x01
accounts that have similar usernames as prominent hackers ("mmwakelam", "try_2_hack", "doggyg", etc),wait for typo'd collaboration invites, and enjoy the free bugs!
#shittyBugBountyTips
Fun lil
#bugbounty
trick. Go to your
@Hacker0x01
reputation log ().
Once there, look for any dupe reports that got +2 reputation. That means the original was marked as Resolved.
See if you can still reproduce it. If so, it wasn't a dupe!
#bugbountytips
After >8 years of working in
#infosec
and more specicially
#bugbounty
, I can FINALLY (and proudly) say that I got my first 2 CVEs!
CVE-2023-51379
CVE-2023-51380
Big thanks to the
@GitHubSecurity
team!
I happen to be in a private
#bugbounty
program with exactly 1 other hacker. The hacker and I have decided to split every bounty 50/50. We love it. The program loves it. The PM loves it. This is truly the pinnacle of collaboration.
#togetherwehitharder
I love finding bugs in applications by just using the app as an every day user.
You really do develop a sniffer/spidey-sense when you become a
#bugbounty
hunter
Welp, it finally came to fruition. After over a year since starting my
#bugbounty
jouney, I finally spent my FIRST bounty dollar and bought a house! Thanks
@Hacker0x01
for this incredible opportunity! That delayed gratification feels the bessssst!
#togetherwehitharder
Hey
@Hacker0x01
got a minor feature request for ya - These "Getting Started" goals have been sitting in my hacker dashboard for a very long time, and they're wasting space at this point. Would be cool to have a continuation of these milestones as I keep progressing!
The further I get in my
#bugbounty
journey, I find that I get less concerned about the bounties that I'm getting and more interested in whether or not I'm learning a cool/useful/relevant technology by participating in a particular program.
If you have ever received a
#bugbounty
then you have earned more bounties than 99.99% of the world population. While it's important to strive to learn and grow, it's also easy to compare yourself solely to those more successful than you. Just be better than yourself of yesterday.
Been having success with
#bugbounty
for over a year now and JUST NOW got my very first SSRF. Because I suck at them!
It's okay to suck at a bug type. Just keep trying and it may even take a year to find what you're looking for :)
Had a great
#bugbounty
experience with Retina the other day. They showed a lot of sympathy and was diplomatic in their responses. Their language was genuine and I felt like I was talking to another hacker :) Which
@Hacker0x01
triager have you had a great experience with lately?
Despite my usual LHE collabing, I think I'm gonna try going solo at the next
@Hacker0x01
LHE in Miami!
Gunning for that MVH! Who thinks I can do it?! 🫡🫡🫡
Decided to dedicate the month of November to hacking on one particularly tough
#bugbounty
program. It's a cold splash of reality realizing that I'm not as good as I thought I was. Still, every hour that you spend finding 0 bugs is an hour invested in getting better!
If you get invited to a Live Hacking Event (regardless of platform or customer), I believe you have a duty and moral obligation to try your damnedest.
The hackers that see an invitation as a commitment are usually the ones who come out on the top of the leaderboard.
#bugbounty
It's incredible how much of my
#bugbounty
success has been because of how helpful and fun the bugbounty community has been.
I am friends with some of the smartest people on earth!
When
@ArchAngelDDay
said in my podcast something about submitting a bug every half an hour, I thought he just wasn't speaking literally because I didn't think it happens in bug bounty... It never happened to me...
Until yesterday, when I submitted 8 reports in less than 3 hours
6/ On a new target go straight to the User Management section
7/ See if inviting an existing user to your org exposes their name
8/ See if inviting an existing user removes them from their own org
9/ If the scope has a wildcard, use sub finder to find subdomains
Hey
@Hacker0x01
- what do I need to do to get my boy, Bluetooth_Headset a raise? Dude has got to be the most helpful triager I've worked with, and he deserves some beer money.
Still using
@CaidoIO
for
#h1305
and I'm really loving it. 158 replay (repeater) tabs open and going strong.
Things I like:
- Seeing the request queue
- filtering/scoping on Intercept
- Darkmode by default
- Being able to use the Automate tab to make modifications in my requests
I found a bug last week that granted access to a feature that is typically only available to paid accounts. I was told there was no security impact and to self-close.
Today, I used that exploit to get access, and then found a bug in the feature itself.
#togetherwehitharder
.
The creativity in
#bugbounty
hunting is not in coming up with clever payloads. It's in taking anomalous behavior and thinking of a way to turn it into a security issue.
After working with my team on
@Hacker0x01
's
#H1702
, I am convinced that developers make for some of the best hackers. Watching
@dee__see
work is mindblowing
What an absolute honor to get interviewed by
@Hacker0x01
at
#h1415
in SF! When I started doing
#bugbounty
I would watch these interviews and just imagine what it would be like to be in their shoes. The community of hackers at H1 is truly top of the line!
Moving into day 2 of
@Hacker0x01
's
#h1702
and I am HYPED! My team absolutely obliterated the second & third day target, and learned a lot of new methods along the way. RCE/XSS/SSRF/PrivEsc We've been on FIRE 🔥🔥🔥 Great hax with some great bois
@dee__see
@ajxchapman
@rez0__
!
Me: Had my best ever
#bugbounty
LHE at
@Hacker0x01
's
#h1512
Also me: Got back home, did some normal hacking, and got 3 Informatives in a row 🤣
Sometimes you win, sometimes you lose - What matters is that you keep going!
Getting a bounty early in my career: "Nice! Time to enjoy this sunshine"
Getting info'd early in my career: *Pissed off for a week*
Getting a bounty now: "Nice! Time to enjoy this sunshine"
Getting info'd now: "Oh well! Time to enjoy this sunshine"
#bugbounty
Looking for a bit of positivity - which
@Hacker0x01
triagers have you had an awesome experience with?
For me, nochnoidozor has always been a pleasure :)