![NahamSec](/img/default-banner.jpg)
- 363
- 4 702 143
NahamSec
United States
Приєднався 3 лют 2014
HACK THE PLANET!!
Hi! I'm NahamSec. I think everyone can be a hacker and I'm on a mission to prove that!
Hi! I'm NahamSec. I think everyone can be a hacker and I'm on a mission to prove that!
My Favorite API Hacking Vulnerabilities & Tips
LIKE and SUBSCRIBE with NOTIFICATIONS ON if you enjoyed the video! 👍
📚 If you want to learn bug bounty hunting from me: app.hackinghub.io/hubs/nahamsec-bug-bounty-course
💵 FREE $200 DigitalOcean Credit:
m.do.co/c/3236319b9d0b
🔗 LINKS:
📖 MY FAVORITE BOOKS:
Bug Bounty Bootcamp: The Guide to Finding and Reporting Web Vulnerabilities -amzn.to/3Re8Pa2
Hacking APIs: Breaking Web Application Programming Interfaces - amzn.to/45g4bOr
Black Hat GraphQL: Attacking Next Generation APIs - amzn.to/455F9l3
🍿 WATCH NEXT:
If I Started Bug Bounty Hunting in 2024, I'd Do this - ua-cam.com/video/z6O6McIDYhU/v-deo.html
2023 How to Bug Bounty - ua-cam.com/video/FDeuOhE5MhU/v-deo.html
Bug Bounty Hunting Full Time - youtu.be/watch?v=ukb79vAgRiY
Hacking An Online Casino - youtu.be/watch?v=2eIDxVrk4a8
WebApp Pentesting/Hacking Roadmap - youtu.be/watch?v=doFo0I_KU0o
MY OTHER SOCIALS:
🌍 My website - www.nahamsec.com/
👨💻 My free labs - app.hackinghub.io/
🐦 Twitter - NahamSec
📸 Instagram - NahamSec
👨💻 Linkedin - www.linkedin.com/in/nahamsec/
WHO AM I?
If we haven't met before, hey 👋! I'm Ben, most people online know me online as NahamSec. I'm a hacker turned content creator. Through my videos on this channel, I share my experience as a top hacker and bug bounty hunter to help you become a better and more efficient hacker.
FYI: Some of the links I have in the description are affiliate links that I get a a percentage from.
📚 If you want to learn bug bounty hunting from me: app.hackinghub.io/hubs/nahamsec-bug-bounty-course
💵 FREE $200 DigitalOcean Credit:
m.do.co/c/3236319b9d0b
🔗 LINKS:
📖 MY FAVORITE BOOKS:
Bug Bounty Bootcamp: The Guide to Finding and Reporting Web Vulnerabilities -amzn.to/3Re8Pa2
Hacking APIs: Breaking Web Application Programming Interfaces - amzn.to/45g4bOr
Black Hat GraphQL: Attacking Next Generation APIs - amzn.to/455F9l3
🍿 WATCH NEXT:
If I Started Bug Bounty Hunting in 2024, I'd Do this - ua-cam.com/video/z6O6McIDYhU/v-deo.html
2023 How to Bug Bounty - ua-cam.com/video/FDeuOhE5MhU/v-deo.html
Bug Bounty Hunting Full Time - youtu.be/watch?v=ukb79vAgRiY
Hacking An Online Casino - youtu.be/watch?v=2eIDxVrk4a8
WebApp Pentesting/Hacking Roadmap - youtu.be/watch?v=doFo0I_KU0o
MY OTHER SOCIALS:
🌍 My website - www.nahamsec.com/
👨💻 My free labs - app.hackinghub.io/
🐦 Twitter - NahamSec
📸 Instagram - NahamSec
👨💻 Linkedin - www.linkedin.com/in/nahamsec/
WHO AM I?
If we haven't met before, hey 👋! I'm Ben, most people online know me online as NahamSec. I'm a hacker turned content creator. Through my videos on this channel, I share my experience as a top hacker and bug bounty hunter to help you become a better and more efficient hacker.
FYI: Some of the links I have in the description are affiliate links that I get a a percentage from.
Переглядів: 4 457
Відео
#NahamCon2024: Sluicing Scripts | @TomNomNomDotCom@TomNomNomDotCom
Переглядів 2,4 тис.16 годин тому
LIKE and SUBSCRIBE with NOTIFICATIONS ON if you enjoyed the video! 👍 Hacking the web often means you need data. A lot of that data is in JavaScript, but JavaScript is a hot mess. Let's take a look at some tools and tricks to make some sense of that mess, build hyper-focused wordlists, and find the deepest, darkest nooks and crannies of web applications without reading megabytes of source code. ...
My Favorite Ethical Hacking Books
Переглядів 12 тис.19 годин тому
LIKE and SUBSCRIBE with NOTIFICATIONS ON if you enjoyed the video! 👍 MY FAVORITE BOOKS: The Web Application Hacker's Handbook: Finding and Exploiting Security Flaws - amzn.to/3KNFrns Bug Bounty Bootcamp: The Guide to Finding and Reporting Web Vulnerabilities -amzn.to/3Re8Pa2 Real-World Bug Hunting: A Field Guide to Web Hacking - amzn.to/4cmYKQ3 Hacking APIs: Breaking Web Application Programmin...
#NahamCon2024: Practical AI for Bounty Hunters | @jhaddix
Переглядів 4,4 тис.День тому
LIKE and SUBSCRIBE with NOTIFICATIONS ON if you enjoyed the video! 👍 There's a lot of hype around AI at the moment. Join Jason Haddix (@jhaddix) as he cuts through all the BS to show you 5 practical ways to use AI to supercharge your bounty hunting RIGHT NOW. Jason will cover AI for Recon, JavaScript analysis, Vulnerabilty Discovery, Payload Generation, and Reporting. 📚 If you want to learn bug...
Day in the Life of an Ethical Hacker/Penetration Tester
Переглядів 28 тис.День тому
LIKE and SUBSCRIBE with NOTIFICATIONS ON if you enjoyed the video! 👍 Ever wondered what a day in life of a pentester looks like? What are some of the parts of the jobs that are fun and what isn't as fun or enjoyable? Well don't worry, I got you! Check out Astra for yourself here: www.getastra.com/continuous-pentest-and-dast 📚 If you want to learn bug bounty hunting from me: bugbounty.nahamsec.t...
#NahamCon2024: .js Files Are Your Friends | @zseano
Переглядів 5 тис.День тому
LIKE and SUBSCRIBE with NOTIFICATIONS ON if you enjoyed the video! 👍 I am a big fan of sticking to one program and learning as much as possible and diving in deep, so in this talk I will discuss the importance of hunting through .js files to look for more endpoints and interesting code which can potentially help you discover even more bugs. 📚 If you want to learn bug bounty hunting from me: bug...
This 'Realistic' Web CTF Was Impossible!
Переглядів 6 тис.14 днів тому
LIKE and SUBSCRIBE with NOTIFICATIONS ON if you enjoyed the video! 👍 This video is a walkthrough of the #NahamCon2024 Mission which includes some cool JWT and recon tricks, API hacking, SSRF, and SQLi! 📚 If you want to learn bug bounty hunting from me: bugbounty.nahamsec.training 💻 If you want to practice soem of my free labs and challenges: app.hackinghub.io 🔗 LINKS: MY FAVORITE BOOKS: Bug Bo...
#NahamCon2024: OAuth Secret | @BugBountyReportsExplained
Переглядів 3,2 тис.14 днів тому
LIKE and SUBSCRIBE with NOTIFICATIONS ON if you enjoyed the video! 👍 For many hackers, changing the redirect_uri to an attacker-controlled host is the only attack they know. But in 2024 it won't work. We have to work harder - exploit and chain multiple smaller bugs together to get the account takeover. Those chains will be the topic of this talk. 📚 If you want to learn bug bounty hunting from m...
#NahamCon2024: Deep Dive Into AWS Instance Metadata | @congon4tor
Переглядів 1,5 тис.14 днів тому
LIKE and SUBSCRIBE with NOTIFICATIONS ON if you enjoyed the video! 👍 This talk will deep dive into instance metadata in a variety of AWS services (EC2, ECS, EKS). From the most basic to more advanced scenarios in container environments allowing you to increase the impact of your bugs. 📚 If you want to learn bug bounty hunting from me: bugbounty.nahamsec.training 💻 If you want to practice soem o...
#NahamCon2024: GraphQL is the New PHP | @0xlupin
Переглядів 4,8 тис.14 днів тому
LIKE and SUBSCRIBE with NOTIFICATIONS ON if you enjoyed the video! 👍 In the talk "GraphQL is the New PHP," we dive into how to find bugs in GraphQL, similar to early PHP days. It's all about sharing tips and tricks for bug bounty hunters to spot security issues. This talk is like a collection of what I've learned, the mistakes I made, and some wins along the way. 📚 If you want to learn bug boun...
This is How You Scan Large Infrastructures
Переглядів 12 тис.14 днів тому
LIKE and SUBSCRIBE with NOTIFICATIONS ON if you enjoyed the video! 👍 Should I make more recon videos?? Scanning a large infrastructure is super interesting especially when you are approaching a large organization to look for the same pattern of mistake. 📚 If you want to learn bug bounty hunting from me: bugbounty.nahamsec.training 💻 If you want to practice soem of my free labs and challenges: a...
#NahamCon2024: The Art of Bypassing WAFs (with live demos!) | @Brumens2
Переглядів 4,1 тис.21 день тому
LIKE and SUBSCRIBE with NOTIFICATIONS ON if you enjoyed the video! 👍 The presentation will provide various methods on how you can bypass modern web application firewalls (WAF). During the presentation, we will cover hands-on labs that simulate various WAF scenarios. The labs will be open source and you will learn how to effectively customize your own methods and payloads to bypass a WAF. 📚 If y...
If I Were to Start in Cyber Security, I'd Do This
Переглядів 24 тис.21 день тому
📣 Advance your career cybersecurity with Simplilearn’s Post Graduate Program In Cyber Security: bit.ly/NahamSecSimplilearn I have been in cybersecurity for over 10 years! If I were to go back and start over again, this is what I would do! LIKE and SUBSCRIBE with NOTIFICATIONS ON if you enjoyed the video! 👍 📚 If you want to learn bug bounty hunting from me: bugbounty.nahamsec.training 💻 If you w...
#NahamCon2024: Shodan & WAF Evasion Techniques | @godfatherOrwa
Переглядів 7 тис.28 днів тому
#NahamCon2024: Shodan & WAF Evasion Techniques | @godfatherOrwa
#NahamCon2024: Modern WAF Bypass Techniques on Large Attack Surfaces
Переглядів 12 тис.Місяць тому
#NahamCon2024: Modern WAF Bypass Techniques on Large Attack Surfaces
Hacking WordPress Sites for up to $10,000!
Переглядів 37 тис.Місяць тому
Hacking WordPress Sites for up to $10,000!
In Recon: If You're Not First You're Last
Переглядів 7 тис.Місяць тому
In Recon: If You're Not First You're Last
Creating A Wordlist For CI/CD Hacking (Using AI)
Переглядів 7 тис.Місяць тому
Creating A Wordlist For CI/CD Hacking (Using AI)
The Art of Finding Critical Vulnerabilities
Переглядів 14 тис.2 місяці тому
The Art of Finding Critical Vulnerabilities
ColdFusion Local File Read (CVE-2024-20767)
Переглядів 5 тис.2 місяці тому
ColdFusion Local File Read (CVE-2024-20767)
Supercharging VIM and Your Bug Bounty Recon Using AI
Переглядів 9 тис.2 місяці тому
Supercharging VIM and Your Bug Bounty Recon Using AI
We installed RedLine InfoStealer (Malware)
Переглядів 23 тис.2 місяці тому
We installed RedLine InfoStealer (Malware)
$20,000 In Bounties From Hacking Into A Prison
Переглядів 11 тис.3 місяці тому
$20,000 In Bounties From Hacking Into A Prison
Great Episode ... Path Traversal Next ...
Only 3% of bug bounty hunters ever make a cent.
A path traversal video sounds awesome!
graphql + Path Traversal plz
Informative video as always Ben, I would really like to hear about how you approach GraphQL APIs, being used to REST, GraphQL seems a whole lot of a different game. I have experimented with using clairvoyance on a couple of APIs but can't bring myself to be comfortable with it as I am with REST.
Do you think apis are a gold mine compared to the usual bughunting?
Both plz
Hey ben , bring the next episode of redacted series
path traversal and gql plzz
GraphQL
A Path Traversal video it would be super nice
Awesome content and very useful!
Graphql
Hi, Sorry, but I can't find the udemy link
SIR PLEASE REPLY ME I have found a API key hard-coded in a javascript file but I have a confussion that should I report it as a information disclosure vulnerability or look forward to saw impact but I don't know what to do next . please assist me sir
definitely look for more impact... try to find out what purpose the API key is serving, a lot of times such tokens are used for logging or analytics services which are marked informative if you report them.
@@h0udini420 hey are you a hunter
@@monikasharma4403 yes
Awesome video, a nice summary, just what I need to upskill on at the moment. Would love to see Path Traversal next please bro!
Graphql and dir traversal
Your link above doesn’t work
Of course, We would like to see an episode about graphql and path traversal ❤
need both path traversal and graphql based vulns ben🙂
Graphql
Hello brother I need your help plz necessary how I can connect you
graphql please
GraphQL Injection Good topic
@@SonaliSingh-ri6jq yeah it is
great
Nice bro❤
app.hackinghub.io/hubs/nahamsec-bug-bounty-course USE CODE: UPDATE50OFF for a discount!
Its showing page not found. Do we need to login to access the page.
Is the course the same as the one on Udemy?
Found out i enjoy physical material more. Subscribing because i dont see channels recommending books offen
Story
Book
Part 2?
Mind blowing. Thank you so much for giving back to community.
غاشق لباست شدم عشقی مرد🤩🤩
I own a ridiculous amount of books--enough to build a small public library. However, I find them mostly useful as supplemental to practical, hands-on work similarly to a reference guide for certain things. I try not to read them cover-to-cover unless I'm trying to put myself to sleep. Books with practical references and guides (Practical Malware Analysis, etc.) are an exception, of course. Great recommendations, Ben! Now I have to add Black Hat GraphQL to my collection.
SOP doesnt allow you to send requests cross-sites. In SOP there is the letter O, which stands for Origin. An origin is not a site, those are two different concepts. And by definition, SOP does not protect from CSRF. It protects from COW (Cross Origin Writes). I like the energy and the enthusiasm, we need that in the field, but if you want to present something and don't want to sound like you dont know what you're talking about, I would suggest you do your homework before. Thank you for sharing anyway.
Actually he is right , If the content-type was application/json this would be considered as not-simple request for the browser and would require a preflight request which would block the XS-search(Get based CSRF) request because its not a trusted origin
@@baraamansi7637 Re-read my comment, thank you.
@@cowid I'm aware of my comment bro, If there is anything wrong with his concepts then you can mention the timeline and explain your opinion ,otherwise I'm not seeing what are you pointing for
@@baraamansi7637 I'm not your bro son, for one thing. Secondly, it's not a coNcEpT problem. It's a terminology problem. Words and acronyms have meaning. Throwing a bunch of acronyms around without understanding what they entail makes you sound like someone who does't fucking know what you're talking about. For the timeline, you can refer to the entire video that is pretty much glib the entire time. To answer specifically your question, 20 mins mark: "...authorized by the same origin policy to be sent cross-site". SOP doesnt allow or prevent from accessing resources cross sites. Again, re-read my first comment. Sites and origins are two different things. We can go on all day like that, bro.
@@cowid Take it easy man,It's not that massive problem if he did a little mistake, As long as the concepts are valid and there is benefit it's totally fine to share we are not perfect .Secondly,There is no need for the agressive attitude brooo, LOL
Great Content ❤
Amazing, I will definitely try it during my next bug hunting time
I will remember you one day
When I'm the best in Electrical, Programming and hacking
😍😍 @TomNomnom🤞🏾
wait wait, isn't JS old school? was told all that was being getting rid of. There's some new coding now, don't remember the names, but I will have to look on discord for that.
very nice, thanks man
Ai is everywhere this days.
Hey Bro, am still waiting for your response, concerning my journey about what you doing.
One cant deny that tomnomnom's voice has a therapeutic effect
Definitely worth topic. I remember how i started hacking just by curious with book Hacking the art of exploitation. That was totally not for beginners, but i enjoyed a lot
Tomnomnom is my favourite hacker :) . Understood whole conference. First time I watched that js video with stock :) and then I watched most of his videos and used all his tools 🔥.
Ive got to make sure to check a few of these out 👀
Dear! These are all outdated! Also there are a lot of people even my grandma knows about them!!
Your grandma is a scholar
@@NahamSecHave you read the book 'Web Application Security' by Andrew Hoffman? What do you think of it?
@@NahamSec I think this is not good idea to copy a content that many other professionals have talked about that before you!
<3
how can get these slides?
when i tried command in the escape sequence, I'm not sure why the \u{002f} part is causing it not display any output, and when I tried to remove that part it is working as intended. I have just wrote it like this in my notes when it worked: input >> echo '"\x2fapi\x2fv2\u003fobj\075users"' | jsluice query -j -q '(string) @s' | jq output>> "/api/v2?obj=users"
@@dans9762 this confused me for a bit because it *should* work, but I think I might have figured out why it's happening. Are you using zsh by any chance? Zsh needs a bunch of extra escaping like this: echo '"\\x2fapi\\u{002f}v2\\u003fobj\\075users"' | jsluice query -j -q '(string) @s' | jq The '\u' was going missing and the other escape sequences were actually all being interpreted by zsh before passing the string to jsluice!
@@TomNomNomDotCom thank you for taking the time to reply and explaining what happened. yes, I am using zsh and the escape sequence you commented is working. More power to you.
Excellent sir, thanks! Book.
I have master degree in cyber security and CompTIA security + but still not getting job