#100DaysOfHacking

This repository contains links to all the 100 days tweets that I posted during the #100DaysOfHacking challenge.

Tweet Links
Announcement of Challenge 🤞
Day 1 - Tested 2FA, Interesting JS File, Sqreen WAF
Day 2 - Rate Limitation, XSS, XSRF
Day 3 - Improper rate limitation on OTP (email verification) plus no expiry of OTP — Report Submitted
Day 4 - Report closed as N/A, understanding app's auth and CSRF protection
Day 5 - CSRF all the way, Auth cookies behavior
Day 6 - CRLF, Fetching JS files
Day 7 - JS file exploration continued
Day 8 - MySQL DB set up for recon data, Discord Web Hook setup
Day 9 - Finding secrets in JS files, Heroku check JS script
Day 10 - Fetching post-auth JS files, studying program's documentation
Day 11 - Working on JS files
Day 12 - Static analysis of JS files, Sourcemaps
Day 13 - Bit of JS, Feeling Down 😞
Day 14 - Electron JS, KOTH THM
Day 15 - OAuth 2.0, Implicit Grant Lab, OAuth links of target
Day 16 - Flawed CSRF Protection
Day 17 - Flawed CSRF lab continued
Day 18 - H1 Ambassador Cup CTF, IDOR Writeups
Day 19 - IDOR
Day 20 - IDOR & Shodan Findings
Day 21 - Trying to change profile pic via IDOR , Decoding app's cookie , SSRF via Profile Photo Upload
Day 22 - Katie's IDOR series, Autorize, Autorepeater
Day 23 - Autorize configuration & testing on target
Day 24 - IDOR, gau
Day 25 - Proper usage of gau to fetch program's URLs
Day 26 - API Testing, So much manual cURLing 🤢
Day 27 - Giving another shot to APIs with repeater, EXIF Issue reporting deferred
Day 28 - Burp + Postman
Day 29 - Bbht Fork Update, Shodan
Day 30 - API hacking writeups, notes & postman collection
Day 31 - KiteRunner Failed, % shown some unique response, IDOR found [Report Submitted]
Day 32 - Recon Methodology of Ahmad Halabi
Day 33 - Subdomain enumeration, HTTPx, Port Scan
Day 34 - IPs from subdomains
Day 35 - Rustscan, Writeups
Day 36 - Ffuf on API endpoint
Day 37 - Nullbyte fuzzing API & builtwith
Day 38 - Escapehtml4 not escaping apostrophe
Day 39 - Dev tools, Reading client side source, Bad commits
Day 40 - Location.href to DOM XSS, New API Endpoint found
Day 41 - mailto:, URL Object
Day 42 - Finding code execution and functionality with breakpoints
Day 43 - Resending XHR with Dev tools
Day 44 - postMessage
Day 45 - Firing range postMessage lab
Day 46 - First Report Resolved 😍
Day 47 - Making authenticated requests with getJS, Using devtools to find postMessage, retesting vulnerable endpoint
Day 48 - Burp’s Dom invader, postmessage-tracker extension
Day 49 - Old S3 Bucket containing interesting files, ORWA methodology of shodan
Day 50 - Shodan all the way
Day 51 - Lighthouse finds vulns in AngularJS
Day 52 - Trying to exploit vulns of [email protected]
Day 53 - AngularJS , Auth JS File
Day 54 - Reading whole login JS file, Trying to Bypass OTP using JS Debugger
Day 55 - Starting HTB Box, Testing Some Auth Related Functions using Dev Tools
Day 56 - How IDOR is fixed? , Cyber Defense Path
Day 57 - API Testing with OWASP ZAP, 2nd Order IDORs, Getting Burnt Out 🥺
Day 58 - TryHackMe ONLY , Breaking security of Linux/Windows given physical access to machine
Day 59 - Postman Environment & Dynamic Variables, Finding multiple postman collections, Approach to test the API
Day 60 - Reading API documentation, Familiarity with Target is Important
Day 61 - HTB, Virtual Hosts Explained
Day 62 - HTB, WPScan, Wordpress 5.2.3, Information Disclosure
Day 63 - THM: Introductory Networking Room
Day 64 - THM: MITRE(started), 250 IDOR Reports, Health Issues
Day 65 - THM: MITRE(done), CEH Prep
Day 66 - ECCouncil CEH Exam Passed, HTB: Paper box Pwned
Day 67 - Using Postman, Zap & Burp together with Upstream Proxy, Throttling Active Scan to Avoid Rate Limitation on API
Day 68 - Dynamic API? , EC2 IPs on Shodan
Day 69 - Potentially Infinite Subdomains, Access Control Testing, Session Validation Checks
Day 70 - Horizontal Priv Esc on API, Active Scan on ZAP, Platform Shift
Day 71 - Android Hacking Lab Environment, My experience with Genymotion, ADB, Frida, Android Studio
Day 72 - Google API Key , Intents & Activities and other Android Concepts, Why lesser security issues in android?
Day 73 - Different tools for decompilation, Android WebView, xAPK files from ApkPure
Day 74 - Developing my first Android app
Day 75 - React-native-decompiler, API key in app.config, Mobsec Vs. Websec
Day 76 - Vulnerable Injured Android
Day 77 - Frustrating APK Decompilation, From JADx to Dex2Jar
Day 78 - Decompilation Mystery Resolved, Finding some flags, Exported Activies, Path of Actvity's Code, Lots of Amazing Android Resources
Day 79 - Exploiting Exported Activities using AM & Malicious App, Setting up Drozer on Docker, Building POC App
Day 80 - IP of Emulator Device, Network issues on Docker, Outdated Drozer? , Android 11 Compatibility, Android Tamer
Day 81 - Testing app's exported activities, SSL Pinning on app? Hacker101 Mobile Hacking Crash Course
Day 82 - Studying what SSL Pinning is? SSL Pinning Bypass Techniques, okHTTP Library
Day 83 - Target App's SSL Pinning Bypassed using Frida! Learning Frida Usage, Method Hooking
Day 84 - Insecure Data Storage in Android, World Readable Directories
Day 85 - Expo.dev, API Keys and their impact, Android Attack Surface
Day 86 - One liner to find all the world readable files/dirs, Plan for rest of the challenege discussed
Day 87 - Log Analysis via LogCat, Screenshot Capturing Security Issues, OWASP GitBook on Mobile Security
Day 88 - Reverse Engineering Electron JS, Grep! Grep! Grep!, contextIsolation & nodeIntegration
Day 89 - Electronegativity, Fetching Electron Version via Console, Unrestricted Navigation Issue Found
Day 90 - Running Electron JS from Source, Proxying Electron App via Burp/Zap, Unexpected Event
Day 91 - VPS Migration & Setup, Rough Plan for Recon, Writing Clean Code, pyLint
Day 92 - Improving code structure, __ name __ variable, reconFTW
Day 93 - sys.argv Vs. argparse, Multiple values of a single argument
Day 94 - Debugging GO issues in CronJobs, moduleNotFoundError in Python
Day 95 - Environment Variables in CRON, moduleNotFoundError {fixed}, weak reference object error {fixed}, Fetching subdomains already stored in DB based on program name input
Day 96 - subprocess.check_output(), Ditching temporary files, Storing new subdomains in DB, Sending new subdomains to discord
Day 97 - Fixing the dynamic paths generated for configuration files
Day 98 - Implementing probing functionality to recon automation framework, Habit of this challenge :)
Day 99 - Adding port scanner to recon framework, ZAP Automation Framework, GraphQL Backend, Blog Post Draft
Day 100 - ZAP Automation Framework Hands On, Reporting of ZAP Framework, Blog Post Released on Last Day
Blog Post on 100DaysOfHacking Challenge