Twitter Threads

The simplest observations can lead to finding huge vulnerabilities.

Here's how @Shlibness & I gained access to data of 25,233 employees:

— Corben Leo (@hacker_) May 4, 2022

Companies love bragging about how many users they have.

You’re definitely a user of a company that does this.

I am. And it makes me trust them less…

Why? Because I’ve seen it go wrong too many times first-hand.

Here's how I was able to steal the information of millions

— Corben Leo (@hacker_) May 2, 2022

It's easy to find attack surfaces that others haven't.

You just need to think creatively.

"But Corben, I don't know how!"

That's what I'm here for.

I'll share some simple methodology that works.

(so you can find vulnerabilities...and make money)

A story:

— Corben Leo (@hacker_) April 29, 2022

Authorization.

Easy to understand. Critical if implemented incorrectly.

Want to see an example? (dumb question Corben, yes, why not)

Last month, I found an auth bypass that lead to a full account takeover.

Here's how I found it:

— Corben Leo (@hacker_) April 27, 2022

Are you into web hacking?

If so, you must have technology-specific wordlists

If not, you're missing obvious vulnerabilities.

Don't believe me?

Let's look at an information disclosure in an ASP[.]NET Core site:

— Corben Leo (@hacker_) April 23, 2022

What happens when you combine hackers and phones?

Phreaking?
Social Engineering?

Sure! Valid answers.

What you didn't think of is web vulnerabilities.

XXE.

I found an XXE by phone call in a bug bounty program.

Here's the story:

— Corben Leo (@hacker_) April 20, 2022

Who's your phone provider?

Well, there's a good chance that I've hacked them!

Last year, I breached a major telecom company (many times...)

This time, I stole the data of every employee.

(well, I didn't steal all of it, but I could've)...

Here's how I did it:

— Corben Leo (@hacker_) April 15, 2022

302 Military FTP servers.

Imagine you had access to 302 military FTP servers.

What data could possibly be on them?

Who would get hurt by that data?

Who would it benefit?

5 years ago,

A 17-year-old gained access to 300 military FTP servers.

Here's how I did it:

— Corben Leo (@hacker_) April 12, 2022

In 2010, WikiLeaks released a classified document.

A list of infrastructure critical to U.S national security.

The government listed a Trans-Atlantic cable.

3 years ago,

19-year-old me gained ADMIN access to that cable (and another; shared codebase).

🧵Here's how I found it pic.twitter.com/qRFJm3m6PC

— Corben Leo (@hacker_) April 8, 2022

🚨 429 Too Many Requests.

You've been here before.

Getting rate-limited is THEE. WORST.

Thankfully, you can easily bypass it.

In most cases.

FireProx (by @ustayready) lets you use a different IP for every request (using AWS).

It's simple to use too: pic.twitter.com/ApeX0pvMYi

— Corben Leo (@hacker_) April 6, 2022

Have you found any ironic vulnerabilities?

I do. One comes to mind that I've never shared:

Access to a company's vulnerability reports.

All of them...Ever...

It will make you facepalm.

Here's how I managed it:

— Corben Leo (@hacker_) April 4, 2022

Do you have any "Oh Sh*t" moments?

Here's one of mine from a year or two ago.

The time I took down an API. A production API.

Of an advertising company...On a Saturday...(and it stayed down for hours...)

Here's what happened:

— Corben Leo (@hacker_) April 1, 2022

I found a Server-Side Request Forgery last month. (well, more than one luckily)

But let's talk about the coolest one. So you can learn.

I don't like talking about bounty amounts. (It's ok if you do, we all get excited)

Instead, I'll show you how I found it:

— Corben Leo (@hacker_) March 31, 2022

Hacking CAN be easy.

But, often it's not.

Let's develop your technical skills, they obviously matter.

A roadmap:

— Corben Leo (@hacker_) March 30, 2022

Anyone can hack.

Yes, anyone.

You can hack. Big companies. With little to no technical skills. And make thousands of dollars. Legally.

It requires some common sense & a web browser.

Note: DON'T do this to websites unless you have permission! It's illegal.

Here's how:

— Corben Leo (@hacker_) March 29, 2022

Using Nuclei is a competitive disadvantage.

Contrary to what you've been told, you're guaranteed duplicates and heartbreak.

Here's why:

— Corben Leo (@hacker_) March 28, 2022

1/ Directory/Endpoint Bruteforcing webservers such as Express, Rails, Flask, Django, etc. can be tricky and you're more than likely missing out on juicy endpoints. Here's a tip to increase your luck:

— Corben Leo (@hacker_) March 8, 2022