Jamal akhtar

The Claude Code tooling I have been mentioning in my recent bounty posts is a forked version of strix-claude-code Started using it a few months ago. Added a triage step that spawns a new agent with no context to verify findings, cut my false positives down a lot. Got $3000 + $100 on intigriti for bypasses of resolved reports, $500 on h1, an RCE I am still verifying Not full proof. Still get false positives, still spend days verifying pocs. But overall it works really well Open sourcing it today: https://t.co/F4FfKtcHoD

Bug Bounty | Internal SSRF | $2,000 Found an Internal SSRF vulnerability The ticketing integration feature (Jira, Zendesk, ServiceNow) accepted a user-supplied URL and passed it directly into a server-side request with zero validation. By replacing the URL with http://127.0.0.1:[PORT], I was able to enumerate internal hosts and ports unreachable from the public internet, one of which exposed a sensitive internal service (https://t.co/OEizQVPbxL) Lesson learned: always test third-party integration fields. They are often overlooked but can make direct backend calls, making them a prime target for server side vulnerabilities. #bugbounty #bugbountytips #ssrf

Found an LFI/traversal today by just searching through my batch GAU outputs with notepad++ for "filename=". I literally typed whats in the screenshot below into one and got the passwd file back. Then I pulled the web server logs, which had admin creds. I was honestly shocked that worked!

I spent ~6 hours yesterday working on a target. If you check my recent post about "Step 1", I was on part "D". I found 3 distinct P1s, one of which probably could have been broken down into 8 specific BAC issues but that sounded like too much work. Issue 1: LFI/traversal As I mentioned, this was found by searching all of my recon files (batch GAU outputs) for "filename=", then tinkering with any of them that looked susceptible. This was literally a one-liner in a GAU file, that could have been easily overlooked because the stem of the URI path actually ended in .PDF, which turned out to have no impact on the URI param itself. Probably why it was missed in the past. So it looked like /app/filename.pdf?filename=test.pdf; but /app?filename=test.pdf still brought the file back, and the LFI was in the filename param. Issue 2: Account Takeover After self registering on a site, I was able to find a section that lets you "invite a user" to your team, and assign a role like admin. However, the payload didn't check the team integer belonged to me, so I could invite myself via email as an administrator to any team in the system, granting full access. Oops. This was an IDOR in a POST JSON body. You find this stuff by using the software and interacting with it. Issue 3: Privilege Escalation BAC After self registering for a site, I dumped all of the API paths from any JS I could find. I made sure to remove any that said logout or logoff. I do this so my session isn't logged off while testing. I then hit them all in intruder with my authenticated session, and noted those which did not 403 or 302 redirect to the logoff or logon page (indicating no access). I then assessed each request that had a 200, and noted ~8 administrative pages that had read/write access to important functions and PII. In summary, no I do not think bounty has gotten any harder, looks like the same game. That was about a $2500/HR hunting spree assuming no duplicates and what not. AI is a capable tool now for hunting, but it will be a long time if ever before it effects the bug count on the internet at large. That said, I hear actually getting triaged and paid may be a different matter these days 🤣 How did AI help? AI was able to very quickly help me find LFI paths given the architecture/stack to dump important files AFTER discovering the bug. This would have been more difficult in the past. I use it for very specific tasks to speed things along, help with payloads, parse JS, and things of that nature... when needed. Its not the first thing I turn to.

Quick bug bounty TIPS! ➡️ verified=false → true, “true”, "True", "TRUE", 1, "1", “yes” ➡️ /v3/users/1234 → v1, v0, internal, beta, legacy ➡️ quantity=100 → -1, 0, 9999999999, 1.82376931348623157e+308 ➡️ role=”user” → “admin”, “”, null, “system” ➡️ /admin → /Admin, /ADMIN, /aDmIn Try them now! ✅ Do you have something to add? 👇

When testing a GraphQL target, verifying array batching is one of the first checks. ☑️  Here’s a quick process: ➡️ Intercept a single query. {"query": "{ user { id } }"} ➡️ Wrap the JSON object in an array and duplicate the query. [{"query": "{ user { id } }"}, {"query": "{ user { id } }"}] ➡️ If the server returns a JSON array of responses: [{"data":...}, {"data":...}] Batch execution is supported. Now, target high-value mutations like login, submit2FA, passwordReset, or query heavy nested objects to cause an application-level Denial of Service (DoS). Here’s how you format the brute-force payload for a login mutation. You can easily script this to generate a massive array of credentials: [   {"query": "mutation { login(username: \"admin\", password: \"admin123\") { token } }"},   {"query": "mutation { login(username: \"admin\", password: \"password1\") { token } }"},   {"query": "mutation { login(username: \"admin\", password: \"qwerty\") { token } }"} ] Hack GraphQL and catch some P1s. 😎

Just checked out the full repo 👀 https://t.co/1aAvTqE9di Interesting concept, turning AI into specialized bug bounty teammates for recon, JS analysis, vuln research, reporting, and more ⚡ Not magic. Not autonomous hacking. But definitely a glimpse into where AI-assisted security workflows are heading 🔥 #BugBounty #CyberSecurity #AI #InfoSec #EthicalHacking #BugBountyHunter #RedTeam #AppSec