BrownBearSec – Medium

BrownBearSec

Pinned

What I learnt from reading 220* IDOR bug reports.

IDOR — Insecure Direct Object Reference, abuse of the lack of authentication at every stage.

Jan 25, 2022

Jan 25, 2022

Pinned

What I learnt from reading 126* Information Disclosure Writeups.

Let’s tackle the most valuable and mysterious bug type…

Jun 6, 2022

Jun 6, 2022

@pdiscoveryio’s Katana for Bug Bounty.

Katana is an incredibly built go-lang based web crawler which is a great stand alone reconnaissance tool, and also works perfectly in…

Nov 27, 2023

@pdiscoveryio’s Katana for Bug Bounty.

Nov 27, 2023

Bug Bounty: Wordlists — Please do them properly.

You are only so good as your weakest link. And in bug bounty, most people’s weakest link, and most ignored is always their wordlists…

Jun 19, 2023

Bug Bounty: Wordlists — Please do them properly.

Jun 19, 2023

Shodan for Bug Bounty — and Why You Shouldn’t Use these 53 Dorks.

Shodan is a much-loved and widely adopted attack surface management tool. But what actually is it? How do we use it beyond basic usage? and…

Mar 20, 2023

Shodan for Bug Bounty — and Why You Shouldn’t Use these 53 Dorks.

Mar 20, 2023

Automated and Continuous Recon/Attack Surface Management — Amass Track and DB

Not using Continuous Attack Surface Management is the reason you keep getting dupes, let’s talk about it…

Jan 2, 2023

Automated and Continuous Recon/Attack Surface Management — Amass Track and DB

Jan 2, 2023

What I learnt from reading 217* Subdomain Takeover bug reports.

A comprehensive analysis of Subdomain Takeovers (SDTO), DNS Hijacking, Dangling DNS, CNAME misconfigurations…

Oct 31, 2022

What I learnt from reading 217* Subdomain Takeover bug reports.

Oct 31, 2022

How I DIDN’T get an RCE in a $200 Billion company — Bug Bounty

I was hunting for CVE-2021–36356 on my subdomain list of over 1,000,000+ subdomains, and finally got a hit…

Sep 12, 2022

Banner: How I DIDN’T get an RCE in a $200 Billion Dollar Company

Sep 12, 2022

How to actually use Amass more effectively — Bug Bounty

99% of bug hunters only use 1% of Amass’ potential…

Aug 15, 2022

How to actually use Amass more effectivley banner

Aug 15, 2022

Comprehensive Url Enumeration for Bug Bounty — The potential of GAU.

Url Enumeration — Subset of Content Discovery: finding existing endpoints.

Feb 22, 2022

banner for article with the words “The most underrated tool in bug bounty. (and the filthiest one liner possible)”

Feb 22, 2022

BrownBearSec

BrownBearSec

CTI analyst | Head of Security @revoltchat | Bug Bounty Hunter. https://twitter.com/BrownBearSec. Alana Witten (she/her)

Following

Help

Status

About

Careers

Press

Blog

Privacy

Rules

Terms

Text to speech