jarom

1.4K posts

jarom banner
jarom

jarom

@_jarom_

Bug bounty hunter | Software engineer in security | Building & breaking with automation + AI | DEFCON fan | Sharing tips & weird bugs

Texas, USA Katılım Şubat 2009
628 Takip Edilen356 Takipçiler
jarom
jarom@_jarom_·
This definitely made my day. Thanks @YesWeHack.
jarom tweet media
English
1
0
1
123
Douglas Day
Douglas Day@ArchAngelDDay·
As of this week, this is officially my best year on the @Hacker0x01 platform...and it's only August 😎
Douglas Day tweet media
English
10
0
185
7.6K
jarom
jarom@_jarom_·
Had a fun time with the Google Security team yesterday, got to see a lot of innovative things they are doing to keep users safe. Definitely want to look into scalibr when I get back home . Excited to see what #defcon33 has to offer today!
jarom tweet mediajarom tweet media
English
1
0
4
202
jarom
jarom@_jarom_·
If you’re going to DEFCON this year, would love to meet up and connect, I’ll be spending time at the @BugBountyDEFCON village. Come say hi!
English
0
0
1
163
James Kettle
James Kettle@albinowax·
How to make $$$ from request smuggling Step 1) Pick the right target:
James Kettle tweet media
English
42
31
594
47K
Jobert Abma
Jobert Abma@jobertabma·
Hey hackers! We're running a beta for Hai for Hackers, our AI security agent. If you're interested, please reply with your HackerOne username (we will probably limit to ~100 hackers for now). After it's been enabled, you can start using it by clicking the Hai button in the top right corner of the app. It’s free to use (with a limited daily budget for now). It is like any other AI you’ve interacted with, with the added benefit that it has access to a whole bunch of HackerOne data, like reports and programs. We’re shipping improvements to Hai almost every day. Here are some neat use cases: - “take all the learnings from STÖK, jhaddix, and nahamsec's recon strategy and build one for me!” - “write a python script for a typical recon process” - “i need an XSS payload that doesn’t use single or double quotes” - “my XXE payload doesn't call back to my server, what could go wrong?” - “write a response for report #133337” The beta also comes with Hai Plays for you, which allows you to build your own security agents in HackerOne. You can create them at hackerone.com/settings/hai_p…. Some of the cool use cases we’ve seen so far are: - write reports with minimal input from you (efficiency++!) - convert reports into blogposts with a single prompt - AI mentor to give feedback about your communication and increase the likelihood of a reward In the background we’ve been working on agentic behavior, which we expect will soon come to Hai for Hackers as well. These AI agents can act like your hacking buddy and hack alongside you. We’ll keep you in the loop on our progress.
Jobert Abma tweet media
English
291
36
240
54K
jarom
jarom@_jarom_·
Don't always have time to hack and the reports don't always turn out in my favor, but it's fun when they do! Just got a reward for a critical vulnerability submitted on @yeswehack -- Insecure Storage of Sensitive Information (CWE-922). #YesWeRHackers
jarom tweet media
English
1
0
8
312
jarom
jarom@_jarom_·
@Rhynorater Thanks for the reminder, doing it now!
English
0
0
0
229
Dave Kennedy
Dave Kennedy@HackingDave·
Some frunk mods for cybertruck
Dave Kennedy tweet media
English
46
4
198
19.6K
jarom
jarom@_jarom_·
@dagrz Aww yes, I remember running into this. It was every tens of thousands of requests though, they must have tightened down 😃
English
1
0
2
270
Daniel Grzelak
Daniel Grzelak@dagrz·
Cheeky buggers at AWS casually returning "NoSuchBucket" to every request after a few hundreds tests from a single IP. testbucket.s3.amazonaws.com did exist a few mins ago :O
Daniel Grzelak tweet media
English
6
2
19
3.4K
jarom
jarom@_jarom_·
@HackingDave Awesome man, looks great! I was half expecting to see a stash of airsoft equipment in there as it was opening.
English
0
0
1
85
Dave Kennedy
Dave Kennedy@HackingDave·
Finished it up sooner than I thought. I bring to you the halo warthog wrapped cyber truck with a halo themed light show 😂😂😂
English
49
13
308
29.4K
jarom
jarom@_jarom_·
@rez0__ Wait, what did I just listen to? All AI generated based off of a write up?! That’s really impressive!
English
0
0
0
64
Joseph Thacker
Joseph Thacker@rez0__·
wow. google's notebook lm is nuts. the new audio interview is SO GOOD. i ran it on my (lil outdated) Prompt Injection Primer for Engineers repoo. so it's an auto-generated podcast about prompt injection. (x wont let me upload .wav to this tweet so it's mp4 with a black screen)
English
1
1
7
1.9K
jarom
jarom@_jarom_·
Just got a reward for a vulnerability submitted on @yeswehack -- Unrestricted Upload of File with Dangerous Type (CWE-434). #YesWeRHackers
English
1
0
7
396
jarom
jarom@_jarom_·
I recently had the opportunity to speak @fwdcloudsec in Arlington, VA alongside some amazing people. My talk leveraged research published by Sam Cox and Ben Bridts that allows anyone to discover the AWS account ID of any S3 bucket. I go into detail of what I did (and any attacker could do 😉) with this information. I've even been able to send in a few #BugBounty reports with some of the data I've collected. youtu.be/iMYbne-tD20?si…
YouTube video
YouTube
English
0
0
6
330
Douglas Day
Douglas Day@ArchAngelDDay·
After almost 6 years in #bugbounty, I am VERY excited to announce that starting tomorrow, I will be doing Bug Bounty / Consulting FULL TIME! That's right, today is my last day at Elastic. I am super grateful for everything I accomplished while working at Elastic, but being entirely self-employed has been my dream for years. After a very successful LHE in Miami earlier this year, and reading the incredible Courage is Calling by Ryan Holiday, I knew 2024 was the year to make the jump. Bug Bounty has been an incredible blessing in my life, drastically altering my life trajectory and giving me the opportunity to create a life for my kids/family that may not have been possible otherwise. It bought my house, my car, and my wife’s van. It let me secure some of the biggest companies in the world, and make some of the best friends I have. This was all possible with just 10-15 hrs/week over the last 6 years. How much more bountiful will it be when I'm able to devote 3x the time? Only time will tell 😎. Of course, there is the fear of uncertainty, the fear of failure, and the fear of financial instability. But I figure those pale in comparison to the pain of never actually getting off my butt and trying. Thanks @rez0__, @triviatroy, @luhkoh, @hacker_, @ajxchapman, @nahamsec, and @rhynorater for the encouragement to give it a shot. Thanks @hacker0x01 & @bugcrowd for giving us hackers a platform to change our lives. Thanks @noahkagan for your interviews with Cal Newport and @artofmanliness. Both of which gave me hope that I’d do alright. Thanks @ryanholiday for Courage is Calling. It made me certain I was making the right decision. And thank YOU all for being part of this journey with me. Let’s Hack the Planet together. Gloria Deo #bugbounty #togetherwehitharder #ittakesacrowd
English
51
23
405
32.5K
Douglas Day
Douglas Day@ArchAngelDDay·
Had an absolutely stellar time at @Hacker0x01 's #h1305 ! The @CapitalOne team was a real joy to work with, and Miami felt like just the perfect location. As this was my 16th LHE, I was beginning to think I would never make MVH, but having a positive attitude, grit, and stick-to-itiveness really goes a long way. Some things that I learned were: - It really truly does make a difference to go for impact. As someone who normally farms IDORs/PrivEscs, this was an experiment, but getting a single High bounty felt wayyyy better than getting 10 Mediums. - I spent nearly the entire LHE on a single application. By the end of the event, no one at the event new that API better than I did. This meant that I had _very_ few duplicates. I didn't split a single one of my big bounties. Go deep. - Have patience. One of my best bugs took me _literally_ 15 hours to complete. A bug that takes you 15 hours will almost NEVER be a dupe. - Working very closely with the customer made success possible. My Slack conversation with one of the CapOne security engineers could nearly fill a novel. We were able to work together to escalate my findings and find maximum impact. The customer is _not_ your adversary. - Despite hacking solo and despite LHE's being a competition, other hackers _really do_ want to see you succeed. The best thing about winning MVH wasn't the belt, but seeing dozens of other hackers LEGITIMATELY excited for me. The hacker community is AWESOME! I loved this event. I love the #bugbounty community. And I love both the H1 & C1 team's. Here's to a great start to 2024 - let's hack the world! #gloriaDeo
Douglas Day tweet media
English
48
19
411
52.7K
Nagli
Nagli@galnagli·
Super Stoked to win the Eradicator award and scoop $24,170 together with @hacker_ @m0chan98 by finding a critical vulnerability on-site at @Hacker0x01's Miami Beach Live Hacking Event targeting @CapitalOne 🌴 A Perfect way to wrap up a Fantastic event! #BugBounty #H1305
Nagli tweet media
Miami Beach, FL 🇺🇸 English
4
2
166
12.7K
Stealthy
Stealthy@stealthybugs·
I am so happy and thankful to take home my first LHE trophy on @Hacker0x01. Executioner of #H1305 - most impactful report. I cannot disclose details but the bug is a cool one! Shout-out to all the friends I talked to and the new faces as well 💪😎 keep up the good work. #hackforgood #bugbounty
English
12
2
119
11.1K
Yassine Aboukir 🐐
Yassine Aboukir 🐐@Yassineaboukir·
as I sit down on my folding beach chair to enjoy this evening’s ocean breeze and watch the sun slowly go down, I get approached by this cute dog that came to keep me good company and share the pleasure of the moment.
Yassine Aboukir 🐐 tweet mediaYassine Aboukir 🐐 tweet mediaYassine Aboukir 🐐 tweet media
English
1
0
52
4.9K