Resources

People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!

This article goes into the process in which this hacker found multiple SSRF's on Facebook instances.

The interesting part was not the bugs themselves, but how they were exploited. Using the SSRF, it was possible to do the following:

• Make requests to internal EC2 instances to steal creds
• Internal path to the logs folder
• Port scan
• Internal system queries that use to fetch data

All of these have actual impact. He was awarded 30K for findings this SSRF bug.

The URL shortner was interesting! Because it was used by internal Facebook people and the outside world, he was able to leak sensitive data (such as internal links, sessions tokens and so on). He simply just brute forced a bunch of links with intruder until he found sensitive information.