Justin Gardner (@Rhynorater) / X

Justin Gardner

6,076 posts

Justin Gardner

@Rhynorater

Richmond, VA

Joined October 2015

Pinned
Justin Gardner
@Rhynorater
Sep 6, 2023
All my current bug bounty knowledge is gone. Here's how I get it back and make $100k in the first year: First, I've got to learn the basics. For this, I will make sure I understand at a high level how the components I'm working with function. I'll need to understand...
552K
Justin Gardner
@Rhynorater
Aug 9, 2023
I've made over 100k on SSRF vulnerabilities. They aren't always as simple as pointing it at localhost or AWS Metadata service. Here are some tricks I've picked up over the past 5 years of web app testing:
450K
Justin Gardner
@Rhynorater
Jun 12, 2023
Becoming a pro in finding client-side bugs is simple. Not easy, but simple. 1. Go through a JS tutorial and understand the basics. 2. Ready everything on this blog 8x until you understand it: ysamm.com 3. Read JS for Hackers by @garethheyes 4x Then go hack stuff
ysamm.com
Youssef Sammouda (sam0) personal blog
The goal of this blog is to share write-ups about bugs i have found in Facebook and reported to them under the Facebook bug bounty program.
114K
Justin Gardner
@Rhynorater
Oct 27, 2022
Here are a couple things I always check when looking at a web application: 🧵
Justin Gardner
@Rhynorater
Apr 9, 2019
Common ways to get RCE: - SSRF to Metadata - Jenkins /script - Jenkins Orange RCE - Leaked cloud creds/keys (online, via LFD, ect) - Arbitrary file upload - ImageTragik - SSTI Fill in how you've gotten RCE!
Justin Gardner
@Rhynorater
Oct 10, 2022
Over the past 6 months, I've had the pleasure of participating in 5 HackerOne Live Hacking events. It has been quite the challenge to my work-life balance and my hacking skills, but after ranking in the top 5 at every event, here are some lessons I've learned: 🧵
Justin Gardner
@Rhynorater
Aug 21, 2018
Just released a new exploit for CVE-2018-15473 OpenSSH Username Enumeration! You can find it here: github.com/Rhynorater/CVE…
Justin Gardner
@Rhynorater
Aug 26, 2023
Ever wondered how people pop arbitrary account takeover vulns? I'll braindump some for ya. Here's what I got:
69K
Justin Gardner
@Rhynorater
Aug 11, 2023
If you're not finding a way to enumerate UUIDs for UUID-based IDORs then you're leaving money on the table. Here are some ways I've done this in the past:
87K
Justin Gardner
@Rhynorater
Aug 29, 2023
You've heard of SSRF. You've heard of IDOR. But have you heard of SSRDOR? 😅 Me neither. But Secondary Context bugs are pretty much the combo of the two. *Rolls up sleeves* Allow me to explain...
98K
Justin Gardner
@Rhynorater
Nov 3, 2022
Prerequisite knowledge before starting to learn about web vulns: * Can you explain from start to finish what happens when a URL gets placed into the URL bar? * Do you know how DNS works? * Do you know about TCP connections? * Do you know how to read HTTP requests and responses?
Justin Gardner
@Rhynorater
Jul 21, 2023
XSS -> ATO Escalation Brain Dump: * Change email -> password reset * Change password * Change phone -> SMS password reset * Change security questions * Add SSO login (login with GitHub, ect) * Force logout -> Session Fixation * Steal session token via non-HTTP only cookie * Steal
74K
Justin Gardner
@Rhynorater
Aug 5, 2023
Tricks to find XSS injection points: * Check for JS variables with empty string assignments in the HTML response If you see ' var redirUrl = "";' in the HTML response, there is a decent chance that "redirURL" might be a query parameter * HTML input field names Check the "name"
57K
Justin Gardner
@Rhynorater
Aug 2, 2020
One of the really exciting things about CVE-2020-13379 is that it can be used to escalate an Image-Only Blind SSRF to a full Read SSRF due to its image/jpeg response content-type. You can find more about this on my blog here: rhynorater.github.io/CVE-2020-13379… If anyone pulls this off, lmk!
rhynorater.github.io
CVE-2020-13379
Unauthenticated Full-Read SSRF in Grafana