Comment and let me know your favourite bug bounty tip as well as your own Twitter handle! The giveaway closes on 22nd July 2020. :)

Hi, I’m just newbie to this bug hunting and I’m doing lot recon and googling to understand the web apps. Your videos are lot of informative. Bravo!

Feel proud to see your efforts so far! All the best Farah!

I just got started hacking graphql and this is so helpful thanks Farah! Keep up the awesome work ❤️

i feel like i learned more from this video than an entire day of graphql documentation reading lol thank you so much for uploading this!

This video was very helpful. I just came across an application today that utilized graphql and I had no idea where to begin testing it. And then I found you're channel while surfing youtube looking for some anime to watch later in the day. Imagine that! Lol Great stuff. Thanks.

I learned a lot from this video, thank you Farah

Very informative...I needed this . Short and to the point

Awesome.... I literally stunned... In the end of the video I just click the subscribe button... ❤️

Farah awesome video this seems like SQL coding with some kind of web based manipulation. I'm new to the bug bounty game but some of the things your teaching are familiar to me. Again great video keep it up

Hey, Thanks for explaining the things in easiest way possible. :)

Thank you very much for your fast and very clear explanation of these types of attacks! I really appreciate the effort you put into this video.

Amazing Farah!!! 🌸💕💕💕

I didn't came to the comment section for the giveaway... my guess was right.. every comment is worth reading. I got so much useful stuffs from here...there was 195 comment when i wrote this.... I don't have any great tips as others have... Happy hacking, Happy learning... that's it..

Cutest pentester ever .... good job Farah! Keep it up !

That was a quick video giving quite a good insight on GraphQL. Thanks Farah, About the Tip: No point in just watching or reading thru hacktivity / blog, One has to step into action on Bugbounty (Open browser and start cracking) ;)

2nd Comment! This video is awesome!

We asked and you heard. Thank you for the video. That was amazingly explained. 🙌 There are few things that I learnt over the time while doing the bug bounty hunting: 1. Recon is one of the most important steps while understanding the application. There are many parts of the application that people forget to look for and those things can cause pretty serious damage to the organization if not found and reported. So, always do the recon first and do it effectively. As Abraham Lincoln famously quoted, “If I had eight hours to chop down a tree, I'd spend six sharpening my axe.” 2. Always write crisp and clear reports. I cannot stress this enough. Always write the reports that are easy to understand and can provide a good learning experience to everyone reading that report. We all learn from each other. @PranavGadekar9

U r doing great sis. Keep it up. Love frm Bangladesh

Very useful video, thanks, We are waiting for your next video

My Fav tip:"Before you ask anyone any questions, make sure you've looked it up and then go back when you've done research but got stuck on actual hard problems" I learned that in my hackerspace, it was hard at first because there was so much to look up but I wouldn't have become who I am without it. Love your stuff Farah, for some reason the music was shifting my concentration from your voice and explanations but that GrpahQL was really good. I'll need to watch it a couple of times will doing a lab to really get the feel of it but it's really good. @GGTioNogu

Regardless of video and content, which is awesome anyway, the comments below are so awesome as all bug hunter gave their tips to stay motivated. I think this is the best ninjaTecinque to help other hunters. Kudos to you guys..

Good content, thanks for share with the community.

Hi fara really useful video... 😉

Well the tip i would give is recon as much as possible and also look for endpoints in javascript as they are more vulnerable then endpoints defined in webpages. Also do look for bussiness logical bugs as they cannot be technically be patched easily. Don't have twitter btw lol 😅

Great job! 🎉

1. Recon is very important so that extract all possible information about our target. 2.always try to find vulnerability on a subdomain because big scope to find vuln on a subdomain. 3. Properly read the policy of the program. 4. Keep patience. 5. Always ready to face failures but don't lose your confidence. 5. Don't rely on automation expect(proxy, subdomain finder), always try the manual testing. 6. Not focus on money just focus on learning. 7. Once the bug is found then make a clever report and make by your self don't copy on the google.

You gave me a free 500 points on CTF, thank you!

great job farah

Nicely explained!!

My Tip is, give equal time to every vulnerability in your program. You don't know what you gonna find

Nice Explanation. Ma'am can you please make videos, in which we can see working POC of different vulnerabilities.

My Tip for Bug bounty 1.Don't run for Burpsuite pro, community edition is also good. (chrome tools aswell) 2. In case you feel VM is heavy for your system use docker (make sure save your data before exiting docker). kali is also available in docker and many other images available. 3.Running out of memory because of burp add "-Xmx2g" i.e "java -jar -Xmx2g" (2g is memory allocated to burp). 4.Give more time to your learning 5.Place to inject payloads Cookie,host header,Referal header. 6.Invest in your self 7.Keep yourself mently and physical fit. Twitter handle @mt_ins

Hello farah , kali linux or ubuntu ,which os should I use and which type of security tools you use to protect your self from getting cought ?

Always focus the target as it’s a fresh one

I found a introspection vulnerability in a website now should i exploit more or that much is enough

I am liking your content, you should try to make the videos on more frequently.

my fav bug bounty tip is: review source code as much you can this can leads sometime advanced exploitation such as : RCE through insecure desirialization :)

Awesome 🤩

Nice video! Keep it up!

jazakallah khairun keep it up

I am just starting learning about web applications can you recommend me any good book for learning web application architecture and the technologies used. Up untill now i have been reading web application hacker's handbook and searching about the terms on youtube or on google. Do you think it is good way to learn it?

in short GraphQL is a query language for your API, and a server-side runtime for executing queries by using a type system you define for your data

My favorite tip from this video was how you used InQL, I had been previously hacking on a graphQL target without using that and it helps so much now. @JoelMonteres

My tip : use shodan extension so you can easily find ip , host , port, services running on , 2. If you wanna use GitHub, gitlab tools without downloading in your system usr gitpod.io it's really fast give it a try . 3. Must use container extension so you don't need many browser ,.

She was looking so cute in the thumbnail... ❤️❤️❤️❤️

My favorite BB tip is: Go through the application manually and try to know how it works and how its supposed to function, this may help in two ways: 1. You might find a logic flaw and report it or maybe you can exploit it to get a greater hold of the application. 2. You may prevent the clause of "Its the intended functionality". Twitter-handle: @ujjwaltyagi355 Well, I am learning web application testing, so a pentester lab subscription will be really helpful for me. Thank you.

Awesome video

@Cipher_942 Use shodan for looking out of vulnerable IP's of the target to smbv3 (RCE)

awesome vedio... thank you for your contribution....:)

Keep target in mind and work for it and search everything and always have latest information in IT @phoenix

keep it up.

so pretty (explaination)

New to bug bounty so haven't found much... I have learnt about IDORs and csrf attacks which are pretty interesting... thanks for the videos and help❤️ and if i am lucky then contact me through linkedin(we had a chat recently)

Help full thanks

1st like is me!

Thank you

Pickup One Vulnerability and put rigorous amount of effort and not to take the report lightly because it's one of the major component ! Thanks @SabujMaity9

Automate everything, apply all concepts recursively, do things that nobody else is, research, be persistent, macro recon, micro focus, read bug reports, community learning, collaboration, keep it fun, don't sacrifice wellbeing! Good luck! Grinning face with smiling eyes What do you mean by Automate everything take this example: Suppose we have like 600k URLs , then what bugs can we look for if we go breadth wise and how? Write bash script to Send standard headers along with 'Origin' in every request. git folder common resources e.g. .git info from headers e.g. Jenkins instance, bad CORS page classification e.g. if 'type="password"' in response: login page elseif response == '': blank page subdomain takeover One of the best secret for finding bugs is to never assume anything i feel 100 people can look same features on that application and they will go na sure that is not vulnerable and the 101 people will find the bug. Loook at this article below , he did what 100 people didn't actually missed out to do blog.dewhurstsecurity.com/2014/12/09/how-i-hacked-facebook.html

Stick to one specific BB program or stick to one specific attack type. Whenever you find userid or any such id, send that request to repeater nd try modifying the ids #EasyIDOR @skylinegeek

You smart, girl

🤩❤️😇

My tip is that donot look for bugs where everyone is looking, think and find a place where no one had looked for

Have a insight of the place where you are planning to attack and dig as much as possible..

didi apne english me bola kush samaj me aya kush nahi magar ap ki awaj kitani ashi he hy raba ap kitani sundar ho didi mene hacking shikhana habi suru kiya he me class9 me hu magar suru kase karu is par ak video banado didi

got a doubt how u got ur localhost in 0.0.0.0

Can someone tell me how much coding I do need to be good at bug bounty, because I don't know even a,b,c of coding.

💘 I love ❤

You are Good 👍😘

I'm not sure if you already did but I think you'd be a great guest via zoom on Paul Security Weekly 😁👍🌞🖖

For Subdomain Takeover always look for CMS as well and not only CNAME. Recently i saw that CMS was netlify but CNAME was not there so i went ahead to takeover and it was successfull. Just you have to upload .html on github account because it takes input from github and that's it. @rajesh1kumawat

Please make a video on RESTful APIs, that would be helpful :)

A suggestion: Can you please keep the mouse pointer visible? It'd help us follow along. Otherwise, viewers might miss things if you clicked some button they weren't looking at. My Bug Bounty Tip: Follow Farah Hawa' YT channel. haha kidding. My tip would be, to explore every single functionality and end point like a normal user before attacking. Read every single request, every single response. You never know a redirect page's response might give you something interesting. The more you know about your target, the more you will find bugs. The time spend understanding the target really pays off.

First of all, thank you for the video. One question that I have for you is, the inQL scanner you are using, is it only used for converting the GraphQL query into a more readable format or does it provides some other functionalities as well?

can you please do this kind of video for grpc services?

Don’t feel your starting late.its never late to do anything @AnubhavSingh_

Good video

The music makes it feel like I am watching Khana Khazana but for Hacking lol

Firstly start exploring the application without jumping to the pen testing tool ofcourse u can make use of browser dev tools. Always look at the path less travelled but sometimes u may find something in the normal path(frequently travelled) as an example Whatsapp bug discovered in 2019 which allowed the receiver to upgrade it to a video call without the knowledge of the individual making the voice call. It was a serious security issue. The reporter was an engineer graduate and made in to the Facebook Hall of Fame 2019. Twitter handle: @I_m_Saj

would you like to tell us that what are your qualifications?

Recon properly because it tells you where exactly you need to hunt for bug @keerthik_krs

Follow disclosure reports on your preferred platform and what you can apply to your targets and programs. @RecklezzPenguin Thanks for another great video Farah!

Funny short story I did MySQL coding assignments on an LG optimus screen🤣😆 which riding in a work truck on an icy Michigan road 😆🤣

So you also tech hacking,ceber security course?

Know how the application works and basic workflow of it before diving into attack mode. @OkAshwin The video was really informative, thanks!!

Bug bounty is all about gaining and sharing. I would like to thank all the people who have contributed their knowledge and made this easier. :) “When you move your focus from competition to contribution life becomes a celebration. Never try to defeat people, just win their hearts.” --Buddha @kira_dhakal

Using OSINT skills to find sensitive data @_Alphagens

As a beginner where I have to start

Hi Farha, those are new like me, dont know how to use github repository, could you please make a video to show how to setup lab with github repository.

Here's a tip, dont be afraid to ask for help from the community

I also want to become a bug bounty hunter, Ma'am. Plz help me!

if you find a vulnerability ... don't stop at that ... try to find more ! @vibhummusic

Enumeration is the key :) @H0j3n

Start from basic. Go step by step. Don't loose hope. Keep trying. @Hardeek_Patel

Be hungry for knowledge, give back to the community, don’t be afraid to fail, and enjoy the ride... @_vivekkamble_

Will email work? FOR giveaway

music is little high. can u reduce volume of music in next video.(just a little bit). even this lvl is not a problem at all, however here i have to put little effort to isolate your voice and concentrate on that rather than music.

My bug bounty tip is : recon recon recon , recon always win

Bug Bounty Tip: "Try try try but don't cry".

Since i am a beginner I can't help much, but I am suggested to use burpsuite as a tool for searching bugs. @prorajnikant