This space will be regularly maintained and updated with accurate and new BugBountyTips shared by the community.
Hacker Stories
It's easy to find attack surfaces that others haven't.
— Corben Leo (@hacker_) April 29, 2022
You just need to think creatively.
"But Corben, I don't know how!"
That's what I'm here for.
I'll share some simple methodology that works.
(so you can find vulnerabilities…and make money)
A story:
🧵Another hacker story thread! 🧵
— Jason Haddix (@Jhaddix) April 26, 2022
== The Medical Alert Hack ==
Not too long ago I put a whole city on high alert during a security assessment. A tale of caution. 💀
Read along to learn my approach & mistakes!
🚨Retweet, follow, & like for more hacker stories! 🚨
1/x
👇🏼
Are you into web hacking?
— Corben Leo (@hacker_) April 23, 2022
If so, you must have technology-specific wordlists
If not, you're missing obvious vulnerabilities.
Don't believe me?
Let's look at an information disclosure in an ASP[.]NET Core site:
What happens when you combine hackers and phones?
— Corben Leo (@hacker_) April 20, 2022
Phreaking?
Social Engineering?
Sure! Valid answers.
What you didn't think of is web vulnerabilities.
XXE.
I found an XXE by phone call in a bug bounty program.
Here's the story:
Who's your phone provider?
— Corben Leo (@hacker_) April 15, 2022
Well, there's a good chance that I've hacked them!
Last year, I breached a major telecom company (many times…)
This time, I stole the data of every employee.
(well, I didn't steal all of it, but I could've)…
Here's how I did it:
302 Military FTP servers.
— Corben Leo (@hacker_) April 12, 2022
Imagine you had access to 302 military FTP servers.
What data could possibly be on them?
Who would get hurt by that data?
Who would it benefit?
5 years ago,
A 17-year-old gained access to 300 military FTP servers.
Here's how I did it:
Another long (hacker) story thread 🧵
— Jason Haddix (@Jhaddix) April 8, 2022
= Stealing checks worth millions & pwning a bank =
Here’s how I did it, so you can learn.
I was once contracted to do a penetration test on a bank…
Like, retweet, and follow for more hacker stories!
(1/x)
Inspired by @hacker_’s tweets about hacker stories, I’ll share one of mine. When looking at a global company, I realised that certain sub divisions in different countries of the company were more vulnerable than others. How did I identify these assets? 1/n
— shubs (@infosec_au) April 3, 2022
(a LONG thread) 🧵
— Jason Haddix (@Jhaddix) April 4, 2022
Inspired by @infosec_au & @hacker_ here's one of my fun hacker stories:
= The complete compromise of a password manager company =
Here's how I did it (so you can learn):
I was given the project to pentest a password manager company: *.redacted.com
(1/16)
