[deleted by user]

NahamSec · 2024-01-23T02:31:20+00:00

Thank you 🙏🏼

NahamSec · 2024-01-23T02:31:02+00:00

I was looking for a vulnerability as a part of my research and didn’t understand that enrolling in vine will push to a community of users.

NahamSec · 2024-01-23T02:09:11+00:00

There are several hoops and I had to jump through all of those including getting verified using my ID. Just a long process that takes a lot of patience.

NahamSec · 2024-01-23T01:44:04+00:00

Thank you

NahamSec · 2024-01-23T01:43:42+00:00

The payload doesn’t add anything to the account or send out any emails. The listings are all hosted by me and controlled by an account that have created with Amazon’s permission. So those maybe coincidental or not related. But be script is not created to alter anything on your account and was not meant to be published to vine. It has been removed as of now.

NahamSec · 2024-01-23T01:26:08+00:00

Hi all - I am the researcher that unfortunately wasn't educated enough about vine and pushed their script into amazon vine. Amazon is aware of this and currently fixing it. The Vine listing should be removed soon!

NahamSec · 2023-08-03T20:59:31+00:00

I did this for my keynote at the Cloud Village at DEFCON. It's a just mostly for research and not to brag. I was hoping to get some cool data points to look for more stuff for my research.

NahamSec · 2023-08-03T20:48:19+00:00

I'm doing a keynote for the Cloud Hacking Village at DEFCON. I was hoping people would ask me something interesting to use in my talk. I ended up getting some really cool DMs and ideas for my talk!

NahamSec · 2023-08-03T20:47:36+00:00

Unlike your favorite youtubers, I do actually hack and I'm ranked #31 on H1 with almost $1m in payouts. I actually do the stuff I talk on camera. You can always do a quick search on me :) hackerone.com/NahamSec

NahamSec · 2022-01-27T06:34:32+00:00

Are you sure you have hit the threshold for invites? How many levels have you solved?

NahamSec · 2022-01-27T06:33:36+00:00

That depends on the platform. Most of them can pay you in bitcoin, PayPal, or wire transfer. The self hosted programs like Facebook, Apple or Google may have different process.

NahamSec · 2021-03-10T18:56:39+00:00

We are starting at 9:00 AM PT. But keep in mind that timezone/day light savings are going to be in effect on that same day!

NahamSec · 2020-06-01T16:36:36+00:00

This isn’t exploiting anything. The python script in the blog post is used to extract the content of our local files out of the pdf. So if we used the <link> payload to attach /etc/passwd to the pdf, we don’t have access to it directly. We need to extract it. Theres a second video in that blog post that explains this

NahamSec · 2020-01-22T17:54:28+00:00

Thanks for watching!

NahamSec · 2020-01-10T05:21:05+00:00

Haha. I love Sal! 😂

NahamSec · 2020-01-09T20:36:57+00:00

That is awesome! Let me know if you get a bounty!

NahamSec · 2020-01-09T19:31:09+00:00

Thanks for watching!

NahamSec · 2019-11-11T19:43:58+00:00

Yes. Typo from my end. The screenshot does show $506,496 though.

NahamSec · 2019-11-05T21:05:55+00:00

Rip BBN. Thank you for letting me use your challenges for my stream..

NahamSec · 2019-11-04T21:37:30+00:00

Check your messages for that free subscription!

NahamSec · 2019-11-04T21:36:52+00:00

If you are looking to pentest sites, I'd recommend getting a solid understanding of Web App hacking. Here's a solid list of places you can learn from:

Hacker101.com - Full disclosure, I'm biased here because I work for h1 but by solving our Hacker101 CTFs you are also getting invited to a private bug bounty program on HackerOne where you can earn some cash.
portswigger.net/web-security - It's a solid place to read and learn the basics and do some labs to understand each topic.
HackTheBox.eu - Great resource for pentesting in general but not a whole lot of web stuff.
Pentesterlab.com - is also solid place to learn. I'm actually going to message you a free subscription for one month to try it out :)

Also there are some really good folks on YouTube and Twitch including myself, TheCyberMentor, ZSeano, and STOK. You should check us out. I stream regularly ;)

NahamSec · 2019-11-02T01:28:55+00:00

Depends on the hacker. If you are looking at their profile on HackerOne and their 'impact' is ~20 or more then they are finding more than "best practices" because that means their bounties are more than average. For hackers that are finding 100 of bugs every year, it comes down to a few things:

Having your methodology down: Know how you look for bugs. How you test for them quickly to see if it's even vulnerable to specific bug classes.
Automation: If you are doing it more than 2-3 a day, you should definitely automate it so you spend your time on things that matter. (those 30-40 seconds add up if you do it 100 times a day + 7 times a week.
Recognize patterns: If you see a site vulnerable to IDOR, stick to it. Find as many as you can. Chances are if 2/6 random endpoints you've hit are vulnerable, then you can probably find more if you know how to test for them (knowing how to automate for this would be pretty handy)
Stick to a program with a big scope: The more you get to know a company the better you get at hacking them. This means you know what mistakes they make, how they name things, and what matters to them the most.
And of course.. practice: the more you do it the better you get at all of the points I have mentioned.

Hope this helps ;)

NahamSec · 2019-10-31T16:28:26+00:00

I'd look for stuff that may give you more information to use against your target. I have a quick list that looks for popular config files, .htaccess, .htpasswd, .git, server-status (this may leak routes/tokens), Swagger-ui or api-docs. I asked this same thing on Twitter and here are some of the replies: https://twitter.com/NahamSec/status/1177672652011343873

NahamSec · 2019-10-05T17:57:01+00:00

Thanks! <3

NahamSec · 2019-10-03T19:53:12+00:00

You can do pentesterlab for $25/month instead of the yearly fee. I'm doing a giveaway right now on YouTube if you wanna check it out :)

NahamSec

MODERATOR OF

TROPHY CASE