|
dawgyg
@
thedawgyg
Richmond, VA
|
|
1 of 7 Millionaire Hackers thanks to @hacker0x01 Bug Bounty Hunter, Reformed Blackhat, Synack Red Team Member, Nissan Skyline Collector
|
|
|
3.492
Tweetovi
|
1.036
Pratim
|
15.537
Osobe koje vas prate
|
| Tweetovi |
|
dawgyg
@thedawgyg
|
5 h |
|
On HTTP/0.9 you dont need a host header at all. I have found in the past when you have a target testing the host your trying to hit and matching it with the host header, this can make it allow the request through. Havent seen the code directly, but has worked 10x+ on Verizon
|
||
|
|
||
|
dawgyg
@thedawgyg
|
5 h |
|
On HTTP/0.9 you dont need a host header at all. I have found in the past when you have a target testing the host your trying to hit and matching it with the host header, this can make it allow the request through. Havent seen the code directly, but has worked 10x+ on Verizon
|
||
|
|
||
|
dawgyg
@thedawgyg
|
5 h |
|
When testing for SSRF, change the HTTP version from 1.1 to HTTP/0.9 and remove the host header completely. This has worked to bypass several SSRF fixes in the past.
#bugbountytip #bugbountytip #bugbounty
|
||
|
|
||
|
dawgyg
@thedawgyg
|
5 h |
|
Let me know how it does. Also check for things like following directs, can help to get to internal hosts at times
|
||
|
|
||
|
dawgyg
@thedawgyg
|
7 h |
|
Even tho it is blind. Sometimes it can be hard to make a program understand that being able to discover internal web services that can then be attacked by testing various public exploits until you get one that works etc. is still a problem and needs to be addressed.
|
||
|
|
||
|
dawgyg
@thedawgyg
|
7 h |
|
It can be really hard to increase the impact as blind. But the best thing to do is try to port scan local loopback, or internal network. Find applications, but then you have to argue the point that you can send requests, so you can technically attack those internal systems etc
|
||
|
|
||
|
dawgyg
@thedawgyg
|
2. velj |
|
well over
|
||
|
|
||
| dawgyg proslijedio/la je tweet | ||
|
Bovada
@BovadaOfficial
|
2. velj |
|
Like, RT and tell us what you think for your chance to win $54!
How many rushing yards will Damien Williams have?
Over 51.5
#PropParty #SuperBowl pic.twitter.com/0JYDNBomlQ
|
||
|
|
||
|
dawgyg
@thedawgyg
|
2. velj |
|
reading the caption made me laugh out loud lol
|
||
|
|
||
|
dawgyg
@thedawgyg
|
2. velj |
|
It was done on the Nintendo switch, baught a brand new game. I'll contact them directly
|
||
|
|
||
|
dawgyg
@thedawgyg
|
2. velj |
|
I'm worried about the police getting involved. Dont want that to happen. So you think would be possible without them getting told?
|
||
|
|
||
| dawgyg proslijedio/la je tweet | ||
|
dawgyg
@thedawgyg
|
24. sij |
|
Looking forward to speaking alongside @nahamsec @nnwakelam @securitybites and @SpaceRaccoon about our different approaches to recon at @Hacker0x01's RSA event on Feb. 24th in SF! Join us: hackerone.com/rsa-events #bugbounty
|
||
|
|
||
|
dawgyg
@thedawgyg
|
2. velj |
|
That's what his mom wants to do to make him earn the money to "pay me back"
|
||
|
|
||
|
dawgyg
@thedawgyg
|
2. velj |
|
His mom is my daughters mom. We already talked about it and gonna handle tomorrow
|
||
|
|
||
|
dawgyg
@thedawgyg
|
2. velj |
|
Lol
|
||
|
|
||
|
dawgyg
@thedawgyg
|
2. velj |
|
Pico lol
|
||
|
|
||
|
dawgyg
@thedawgyg
|
2. velj |
|
How about pico? Lol
|
||
|
|
||
|
dawgyg
@thedawgyg
|
2. velj |
|
Hes not my kid. But I already buy him everything he wants, just so it doesn't look like I love my daughter more than his parents love him because I spoil her with everything she could want. So I try to make sure it's all fair etc. Which is one of the reasons I'm so mad about it
|
||
|
|
||
|
dawgyg
@thedawgyg
|
2. velj |
|
I deff appreciate your input. I got mad respect for you, parent or not. So thanks!
|
||
|
|
||
|
dawgyg
@thedawgyg
|
2. velj |
|
I did similiar stuff when I was a kid. And wasnt punished for the most part. So want to make sure it's something stern enough so he doesn't keep going a route like I did as a kid
|
||
|
|
||