Timestamps (Powered by Merlin AI) 00:00 - Bug Hunters Methodology for Application Hacking 06:04 - Great resources for learning application security and content creators to follow 16:32 - Identify technology and vulnerabilities with tools like WhatRuns and Nuclei 01:34 - Use nuclei for efficient scanning and port scan with Nabu for extensibility 31:34 - Use wordlists for content discovery and API fuzzing 37:02 - Use Source to URL tool for content discovery on open source software 47:21 - Tips for finding vulnerabilities in applications 52:32 - Understand how the application references users and their levels 1:02:37 - Tools for spidering and parsing JavaScript files 1:07:49 - Heat mapping helps identify potential vulnerabilities in upload functions 1:18:03 - Use GF tool to prioritize fuzzing based on patterns 1:23:17 - Bug Hunters Methodology: Application Analysis
Super great Video. Made me think back of this: When my Statistics Professor retired, in his good bye speech, he compared western researchers with someone who was searching for his car keys in the light of a street light. And when you asked were exactly he had lost them, he would say "over there", pointing 20 yards down the road. On asking him why then was searching here and not over there, he would say because here I can see what I am doing.
Fantastic talk! especially loved the tips on wordlists. Big Question I had.. You mentioned it being critical to know how the app passes data weather it's via params or via REST routes and how that affects where / how you fuzz or place your payload. But I didn't hear you explain that. I'd love to hear more about that.
@marksnyder5219 His point was that you just need to know the difference because, for example, if an app is passing data via params but you are throwing URLs at it that just consist of pathnames & endpoints (REST style), then you're wasting your time. You'll never find anything because that stuff just doesn't exist.
Thank you Jason for sharing so many real-world details. Is the Heatmap Mindmap file available to download please since the font is a bit small in the video? I love flow charts like that. Thanks so much.
Really this is Super Great Content for all Newbie like me. Thank You so much "TheCyberMentor" for your recommended. And also Thanks NahamSec and JasonHaddix. May Allah bless you all.
Awesome talk as usual from the legend #jhaddix .#hakluke Hakrawler gives more results usually | wc -l . Damn I had to come edit my comment. This is very valuable info . Gets the wheels spining
Timestamps (Powered by Merlin AI)
00:00 - Bug Hunters Methodology for Application Hacking
06:04 - Great resources for learning application security and content creators to follow
16:32 - Identify technology and vulnerabilities with tools like WhatRuns and Nuclei
01:34 - Use nuclei for efficient scanning and port scan with Nabu for extensibility
31:34 - Use wordlists for content discovery and API fuzzing
37:02 - Use Source to URL tool for content discovery on open source software
47:21 - Tips for finding vulnerabilities in applications
52:32 - Understand how the application references users and their levels
1:02:37 - Tools for spidering and parsing JavaScript files
1:07:49 - Heat mapping helps identify potential vulnerabilities in upload functions
1:18:03 - Use GF tool to prioritize fuzzing based on patterns
1:23:17 - Bug Hunters Methodology: Application Analysis
Super great Video. Made me think back of this: When my Statistics Professor retired, in his good bye speech, he compared western researchers with someone who was searching for his car keys in the light of a street light. And when you asked were exactly he had lost them, he would say "over there", pointing 20 yards down the road. On asking him why then was searching here and not over there, he would say because here I can see what I am doing.
What does this mean though?
hmmmmmmmmm
Blind XSS payload -> "vehicle breakdown" -> exploit delivery and execution is *chefs kiss*.
Wow, what an abundant collection of tools and info 🎉 Thank you so much for taking the time. I also appreciate the quality, it was nice and clear. ☺️
I’m fairly certain I’ve listened to this video 4 or more times while bug hunting, just because it’s so useful and filled with reminders 🎉
@@abdonito8254 Hunting bugs duh
lots of useful tips,Thank You, please do more tutorials and walkthroughs on using the tools.
Great content as always Jason. Many thanks
That was an absolutely sick presentation Jason!
super good talk jason alot of valuable tips in here, your a legend
These are such great videos. Jason explains things so well
Enjoyed the content and its very encouraging big ups to you professor.
Fantastic talk! especially loved the tips on wordlists.
Big Question I had.. You mentioned it being critical to know how the app passes data weather it's via params or via REST routes and how that affects where / how you fuzz or place your payload. But I didn't hear you explain that. I'd love to hear more about that.
@marksnyder5219 His point was that you just need to know the difference because, for example, if an app is passing data via params but you are throwing URLs at it that just consist of pathnames & endpoints (REST style), then you're wasting your time. You'll never find anything because that stuff just doesn't exist.
O funk i visit this video every day
I think its pure gold if u want to learn
Very Serious Guy Ma Sha ALLAH
Literally enjoyed alot! thanks everyone
thanq so much...i was eagerly waiting for this
Is naabu better than rustscan in speed? Because sometimes you have to scan like 100 of subdomains and speed really matters
Second question: the order of topics would be, so to speak, the steps to follow to carry out the application analysis???
query: the difference between Recon and Application Analysis, what would it be specifically??? I am new to this topic.
Excellent presentation sir!
Asif how did i missed it .Great tutorial as usual .Thanks
Thanks for all the content!! love it!
Thank you Jason for sharing so many real-world details. Is the Heatmap Mindmap file available to download please since the font is a bit small in the video? I love flow charts like that. Thanks so much.
great explained.
guys does it still valid though 2 years in this field is quit a lot and if there is updated version of TBHM plz tell me
great work bro,
I am so glad I ordered pizza! let's go
Cool
Hi, Jason. You released a bug bounty methodology earlier??
It's working thanks my friend
7:15 Stok's handle is wrong.
1:02:08
Personal Bookmark
was waiting for it
Can we get the slides of the presentation?
Can anyone tell me which tool he was using to create dynamic mind map? It’s super cool.
The tool name is Xmind
@@0ckh4m38 Thanks!
great content
great content 👍🏼😌
What was the book on APIs that you're reading?
I think it's called "Hacking APIs" but it won't be officially released until July.
Can you please share the ppt
Thank ❤️
Please uploads others talks also... 😇
Starting the video...
first like and comment
I think I'm the first viewer.
Guess we'll never know
@@NahamSec hahaa....aha
😍😍
1#
:)
great vedio and great man @jhaddix 👈❤❤❤❤
Really this is Super Great Content for all Newbie like me. Thank You so much "TheCyberMentor" for your recommended. And also Thanks NahamSec and JasonHaddix. May Allah bless you all.
Awesome talk as usual from the legend #jhaddix .#hakluke Hakrawler gives more results usually | wc -l . Damn I had to come edit my comment. This is very valuable info . Gets the wheels spining