I love your content, Your videos motivate me more and more to continue with bug bounty! Thanks Katie, I like this kind of videos with real targets, Thanks a lot!!!!
Is having in depth knowledge of web development necessary for getting started with bug bounty? I have no web dev experience, so should I first learn it to understand how JavaScript and stuff works or is it not really necessary? PS : thanks for all these amazing videos
You don't need to learn how to do web development, in fact not knowing can be an advantage since you might look in places someone with dev experience might skip over! But I will say that it helped me a lot and it meant when I went into hacking I saw it as an extension of deving rather than a new skill. STOK is quite well known for not being a dev and TomNomNom is a dev and they're on the same team! If you want my opinion, learn how to make a basic web app in a language (python might be a good choice since many tools use it), to get a feel for how it works!
Thanks Katie! I was trying to do the same with gmail but the requests over there are too difficult to interpret. I would like to highlight one thing, your mail won't be sent because there are many values in that request which are changed while sending an email. Solution to this problem is you send two different emails from your account (from browser like a legitimate user), then in Burpsuite you send those email request to comparer (request) and find out the changes between the two requests and do the same in your crafted email in repeater. Add random values of same length where the changes are seen and boom! your email will be sent.
People do find their first bugs with subdomain takeovers, but just make sure that the services you're looking at are vulnerable via github.com/EdOverflow/can-i-take-over-xyz this is a good introduction www.hackerone.com/blog/Guide-Subdomain-Takeovers !
Love your videos. Thanks for the videos. I have a question that since you are using the suite on yahoo.com, so is it legal? Can I use burp suite on any website? I mean is it legal to use on unauthorized websites? thanks and keep sharing your knowledge.
No! I am allowed to hack on Yahoo.com because it runs a public bug bounty program on HackerOne hackerone.com/verizonmedia you should never test a website you're not explicitly allowed to via a bug bounty program or some kind of authorisation directly from a company (eg a pentest)
Since you already know where ymail endpoints are in the long list of yahoo request captured by burp but what if someone doesn't know about them? How he can find endpoints? For suppose endpoints fo Gmail etc? Any suggestions regarding that?
It comes with practice basically, I have hacked the Yahoo Mail app before so I know what I'm looking for, but usually my approach is: - Poke at what I want to hack - Go to burp, see what requests were just sent - Look for one which has the data my poke had, ignore anything that looks like a tracker/advert - Use that to filter down my Burp scope
I love your content, Your videos motivate me more and more to continue with bug bounty! Thanks Katie, I like this kind of videos with real targets, Thanks a lot!!!!
I love the way it is explained, and I also love the voice! Love your content!
Thank you 🙏🏻
Is having in depth knowledge of web development necessary for getting started with bug bounty?
I have no web dev experience, so should I first learn it to understand how JavaScript and stuff works or is it not really necessary?
PS : thanks for all these amazing videos
You don't need to learn how to do web development, in fact not knowing can be an advantage since you might look in places someone with dev experience might skip over! But I will say that it helped me a lot and it meant when I went into hacking I saw it as an extension of deving rather than a new skill. STOK is quite well known for not being a dev and TomNomNom is a dev and they're on the same team!
If you want my opinion, learn how to make a basic web app in a language (python might be a good choice since many tools use it), to get a feel for how it works!
Thank so much Katie for amazing effort
Thank you! Happy to make it :)
Amazing content Katie, thank you so much
Finally!! I was waiting for your video :)
Hope you enjoyed it!
@@InsiderPhD Yep ;)
Thanks Katie! I was trying to do the same with gmail but the requests over there are too difficult to interpret. I would like to highlight one thing, your mail won't be sent because there are many values in that request which are changed while sending an email. Solution to this problem is you send two different emails from your account (from browser like a legitimate user), then in Burpsuite you send those email request to comparer (request) and find out the changes between the two requests and do the same in your crafted email in repeater. Add random values of same length where the changes are seen and boom! your email will be sent.
Thanks for another great video. Hopes to see more Burp videos from you :)
Sooooon! I’m hoping to cover everything in intruder!
hi katie, i love your videos, thank you :)
great
Awesome
i needed this so badly cause i just started in bug bounty
ps- i wanted to know that is cracked burp harmfull to use as i can not afford one
You don't need to use a cracked version! You can just the Community Edition (free one)! The full version isn't necessary when you just start out
@@InsiderPhD thanks for showing path
I appreciate you helping community
Great content! Keep up!
Thanks, will do!
Hey Katie, do you think subdomain takeover is still worth to hunt or it will be very hard to find and just wasting my time? Thanks
People do find their first bugs with subdomain takeovers, but just make sure that the services you're looking at are vulnerable via github.com/EdOverflow/can-i-take-over-xyz this is a good introduction www.hackerone.com/blog/Guide-Subdomain-Takeovers !
Love your videos. Thanks for the videos. I have a question that since you are using the suite on yahoo.com, so is it legal? Can I use burp suite on any website? I mean is it legal to use on unauthorized websites?
thanks and keep sharing your knowledge.
No! I am allowed to hack on Yahoo.com because it runs a public bug bounty program on HackerOne hackerone.com/verizonmedia you should never test a website you're not explicitly allowed to via a bug bounty program or some kind of authorisation directly from a company (eg a pentest)
Thanks Katie . Please don't stop uploading videos for beginners. I am a newbie.
Katie = Insta Thumbs Up
🙌
Since you already know where ymail endpoints are in the long list of yahoo request captured by burp but what if someone doesn't know about them? How he can find endpoints? For suppose endpoints fo Gmail etc? Any suggestions regarding that?
It comes with practice basically, I have hacked the Yahoo Mail app before so I know what I'm looking for, but usually my approach is:
- Poke at what I want to hack
- Go to burp, see what requests were just sent
- Look for one which has the data my poke had, ignore anything that looks like a tracker/advert
- Use that to filter down my Burp scope
@@InsiderPhD Ok Got it, Thanks :)
@@InsiderPhD Ok Got it, Thanks :)
You are using burp on windows or any other os
I primarily use OSX to bug hunt so I mainly use the Mac version of Burp