May 6, 2022:
The simplest observations can lead to finding huge vulnerabilities.
— Corben Leo (@hacker_) May 4, 2022
Here's how @Shlibness & I gained access to data of 25,233 employees:
May 2, 2022:
Companies love bragging about how many users they have.
— Corben Leo (@hacker_) May 2, 2022
You’re definitely a user of a company that does this.
I am. And it makes me trust them less…
Why? Because I’ve seen it go wrong too many times first-hand.
Here's how I was able to steal the information of millions
April 29, 2022:
It's easy to find attack surfaces that others haven't.
— Corben Leo (@hacker_) April 29, 2022
You just need to think creatively.
"But Corben, I don't know how!"
That's what I'm here for.
I'll share some simple methodology that works.
(so you can find vulnerabilities...and make money)
A story:
April 27, 2022:
Authorization.
— Corben Leo (@hacker_) April 27, 2022
Easy to understand. Critical if implemented incorrectly.
Want to see an example? (dumb question Corben, yes, why not)
Last month, I found an auth bypass that lead to a full account takeover.
Here's how I found it:
April 23, 2022:
Are you into web hacking?
— Corben Leo (@hacker_) April 23, 2022
If so, you must have technology-specific wordlists
If not, you're missing obvious vulnerabilities.
Don't believe me?
Let's look at an information disclosure in an ASP[.]NET Core site:
April 20, 2022:
What happens when you combine hackers and phones?
— Corben Leo (@hacker_) April 20, 2022
Phreaking?
Social Engineering?
Sure! Valid answers.
What you didn't think of is web vulnerabilities.
XXE.
I found an XXE by phone call in a bug bounty program.
Here's the story:
April 15, 2022:
Who's your phone provider?
— Corben Leo (@hacker_) April 15, 2022
Well, there's a good chance that I've hacked them!
Last year, I breached a major telecom company (many times...)
This time, I stole the data of every employee.
(well, I didn't steal all of it, but I could've)...
Here's how I did it:
April 12th, 2022:
302 Military FTP servers.
— Corben Leo (@hacker_) April 12, 2022
Imagine you had access to 302 military FTP servers.
What data could possibly be on them?
Who would get hurt by that data?
Who would it benefit?
5 years ago,
A 17-year-old gained access to 300 military FTP servers.
Here's how I did it:
April 8th, 2022:
In 2010, WikiLeaks released a classified document.
— Corben Leo (@hacker_) April 8, 2022
A list of infrastructure critical to U.S national security.
The government listed a Trans-Atlantic cable.
3 years ago,
19-year-old me gained ADMIN access to that cable (and another; shared codebase).
🧵Here's how I found it pic.twitter.com/qRFJm3m6PC
April 6th, 2022:
🚨 429 Too Many Requests.
— Corben Leo (@hacker_) April 6, 2022
You've been here before.
Getting rate-limited is THEE. WORST.
Thankfully, you can easily bypass it.
In most cases.
FireProx (by @ustayready) lets you use a different IP for every request (using AWS).
It's simple to use too: pic.twitter.com/ApeX0pvMYi
April 4th, 2022:
Have you found any ironic vulnerabilities?
— Corben Leo (@hacker_) April 4, 2022
I do. One comes to mind that I've never shared:
Access to a company's vulnerability reports.
All of them...Ever...
It will make you facepalm.
Here's how I managed it:
April 1, 2022:
Do you have any "Oh Sh*t" moments?
— Corben Leo (@hacker_) April 1, 2022
Here's one of mine from a year or two ago.
The time I took down an API. A production API.
Of an advertising company...On a Saturday...(and it stayed down for hours...)
Here's what happened:
March 31, 2022:
I found a Server-Side Request Forgery last month. (well, more than one luckily)
— Corben Leo (@hacker_) March 31, 2022
But let's talk about the coolest one. So you can learn.
I don't like talking about bounty amounts. (It's ok if you do, we all get excited)
Instead, I'll show you how I found it:
March 30, 2022:
Hacking CAN be easy.
— Corben Leo (@hacker_) March 30, 2022
But, often it's not.
Let's develop your technical skills, they obviously matter.
A roadmap:
March 29, 2022:
Anyone can hack.
— Corben Leo (@hacker_) March 29, 2022
Yes, anyone.
You can hack. Big companies. With little to no technical skills. And make thousands of dollars. Legally.
It requires some common sense & a web browser.
Note: DON'T do this to websites unless you have permission! It's illegal.
Here's how:
March 28, 2022:
Using Nuclei is a competitive disadvantage.
— Corben Leo (@hacker_) March 28, 2022
Contrary to what you've been told, you're guaranteed duplicates and heartbreak.
Here's why:
March 8, 2022:
1/ Directory/Endpoint Bruteforcing webservers such as Express, Rails, Flask, Django, etc. can be tricky and you're more than likely missing out on juicy endpoints. Here's a tip to increase your luck:
— Corben Leo (@hacker_) March 8, 2022