Olivia
Online
Esteban Brenes S
@_b0ydC
Security Research | eWPTx2 | eWPT | CEH Master | eJPT
Costa Rica
Joined July 2025
238 Following
4 Followers
16 Posts
Top 100 #BugBounty tips I could gather. If you found this useful please share so more people can take advantage of these #bugbountytip!
https://t.co/lxbQnblBEU
Read the program policy twice; list explicit out-of-scope patterns.
Build a target map: assets, subdomains, APIs, third-party SaaS.
Fingerprint tech (headers + JS); pivot recon by framework.
Diff staging vs prod; inconsistencies hide bugs.
“Delta hunt” right after big releases/changelogs.
Skim status pages & incident write-ups for fresh angles.
Watch for new acquisitions/domains; scopes expand quietly.
Enumerate subdomains via multiple sources; cross-validate.
Resolve to IPs; look for dangling DNS/CNAME takeovers.
Test wildcard DNS/catch-all vhosts for leakage.
Robots.txt/sitemaps: find old versions and admin crumbs.
Wordlist smartly; use tech-specific directories & files.
Scrape/minify-busted JS for endpoints, secrets, flags.
Pull mobile APKs; grep for API routes, keys, cert pins.
Use Param Miner; guess hidden parameters aggressively.
Try alternate HTTP verbs (HEAD/OPTIONS/TRACE/PATCH).
Parameter pollution: duplicate keys, array syntaxes, mixed casing.
Send weird content-types (text/plain→JSON parsers).
Malformed JSON (dupe keys, trailing commas) = parser confusions.
Flip GET↔POST; look for _method overrides.
Try HTTP/2 & HTTP/3—protocol quirks change behavior.
Host header & scheme confusions behind proxies/CDNs.
Cache poisoning: find cache keys missing vital headers.
Web cache deception: static path + dynamic fill.
Request smuggling (CL.TE/TE.CL, h2c, HTTP/2-specific flaws).
SSRF into IMDSv1/metadata; pivot to internal admin.
Chain SSRF via open redirects to beat allowlists.
Abuse webhook verifiers and file fetchers for SSRF.
SSTI: safe-looking probes for template engines.
Blind command injection via OOB channels (DNS/HTTP).
XXE/DTD tricks where XML still lurks.
File uploads: magic bytes/polyglots/extension bypasses.
SVG/HTML image uploads → stored XSS surprise.
Path traversal with mixed encodings (%2e, %2f, ;, UTF-8).
Deserialization: framework-specific gadget hunts.
Prototype pollution (both server- and client-side).
Hunt debug endpoints: /graphql, /actuator, /console, /_next.
Grab source maps (.map) for private code insight.
CORS: wildcard + credentials = cross-site jackpot.
Legacy JSONP/reflection endpoints for token leakage.
Reflected XSS: event handlers, SVG namespaces, unusual contexts.
DOM XSS: track sinks (innerHTML/write/insertAdjacentHTML).
CSP bypass: nonce reuse, data: URIs, wasm, JSONP.
postMessage: missing origin checks → data exfil.
Service workers: cache poisoning, offline leaks.
Clickjacking with frame-bust bypasses/visual redress.
CSRF on state-changers; verify SameSite, token binding.
Preflight/CORS confusions enabling CSRF-like effects.
OAuth: open redirectors in redirect_uri; PKCE downgrades.
Token leakage via Referer/fragment mishandling.
Signed URLs: missing expiry/host binding → replay.
JWT: alg confusion (older libs), kid traversal tricks.
Validate aud/iss; fail-open verifiers are common.
Sessions: fixation, missing HttpOnly/Secure/SameSite.
2FA/OTP: brute, reuse, fallback SMS/voice bypasses.
Magic links: one-click login tokens in logs/referrers.
Password reset: token scope, reuse, timing side-channels.
Account enum via codes, timings, copy differences.
BAC: change numeric IDs everywhere, not just one route.
Horizontal auth (userId/orgId/tenantId) across all CRUD.
Vertical auth: unadvertised admin actions via API.
Batch endpoints mixing tenants = data bleed.
Soft-deleted/archived objects still retrievable.
Mass assignment: hidden fields (roles/price/flags) server-trusted.
Client-only checks? Re-implement in curl; prove bypass.
Rate limits: per-IP only? Token vs account vs user.
Race conditions: concurrent requests beat check-then-act.
TOCTOU in checkout, redemption, seat allocation.
Business logic: coupon stacking, rounding, currency swap.
Webhooks: unsigned or weak HMAC; replay & clock skew.
Email change: verify current mailbox; alias (+/.) tricks.
SAML/SSO: signature wrapping; mis-scoped ACS endpoints.
GraphQL: introspection, enum spelunking, find *_id patterns.
GraphQL: aliasing/batching auth bypass; deprecated fields.
GraphQL: depth/complexity DoS; suggestion leaks.
gRPC/WebSockets: unauth methods; origin/socket checks.
API focus: BOLA/BOPLA over UI-driven IDOR.
Look for /v0, /beta, /internal API versions.
API content-type confusion (stringified JSON, form data).
Object-property-level auth on nested fields (OPLA).
Cloud: public buckets, overbroad IAM, metadata exposure.
Secrets: scan git, JS, backups, .env, mobile bundles.
Third-party integrations: payments, chat, analytics drift.
PDF renderers: HTML injection, XFA/scriptable annotations.
Image processing: Exif, ImageTragick-style delegates, SSRF.
Caching layers: login CSRF + caching = session leaks.
DNS hygiene: takeover candidates; verify ownership.
TLS: client-auth endpoints accidentally public; cert reuse.
Observability: IDOR via trace/Correlation-IDs.
Errors: verbose stack traces, GraphQL hints, path leaks.
Mobile: jailbreak/root bypass, custom CA, IPC issues.
Electron/desktop: nodeIntegration/enableRemoteModule risks.
IoT/web panels with default creds, no auth.
Automate regressions with custom Nuclei templates.
Use tech-tuned wordlists (Rails/Laravel/Next.js/AEM).
Automate recon; hand-test anything that smells interesting.
Keep a personal playbook; tag bugs by vector.
Minimal, reproducible PoCs; capture traffic & timings.
Explain impact in business terms; map to OWASP/API categories.
Re-test fixes; try variants; convert duplicates into patterns.
GIVEAWAY!! 🔥
We’re giving away 1 seat of @AlteredSecurity Certified Evasion Techniques Professional (CETP) – Evasion Lab. 🚀
👉 How to participate:
1️⃣ Like 👍 this post
2️⃣ Repost🔁
3️⃣ Comment 💬 what makes it useful to you
4️⃣ Follow @nikhil_mitt & @AlteredSecurity
A random winner will be announced on Monday, 8th September 2025.
🔗 https://t.co/jUUjo8gC5M
#EvasionWithAltSec #CETP #AlteredSecurity #RedTeam #Pentesting #InfoSec #CyberSecurity #Giveaway
🚨 50 Places Hackers Always Check for Leaks (and Devs Always Forget) 🚨
https://t.co/pfU1bd9I6W
If you don’t look here… the rats will.
/robots.txt – hidden endpoints
/sitemap.xml – juicy URLs
.git/ – repo dump (thanks for this one @bl4ckh4ck5 )
.svn/ – old school loot
.hg/ – mercurial mess
.DS_Store – directory mapping (thanks for this one @bl4ckh4ck5 )
.env – API keys, DB creds
.bash_history – dev mistakes
/backup.zip – entire site
/old/ – forgotten staging
/test/ – “just testing” 🙄
/tmp/ – temp files, creds
/admin/ – guessable panels
/config.php – hardcoded creds
/db.sql – full DB dump
/phpinfo.php – system info
/error.log – server details
/debug.log – stack traces
/logs/ – everything, unprotected
/cgi-bin/ – legacy shells
Source maps (.map) – full client code
JS comments – creds & hints
HTML comments – “TODO remove before prod”
API docs (Swagger/GraphQL)
API introspection queries
Mobile APK – hardcoded secrets
iOS IPA – debug endpoints
GitHub repos – leaked by devs
GitLab CI – exposed tokens
Jenkins builds – hardcoded keys
CI/CD logs – creds in plain text
Dockerfiles – passwords baked in
.dockerignore – things they meant to hide
.npmrc – auth tokens
.yarnrc – registry creds
Composer/Pip lock files – hidden deps
Package.json – debug scripts
Node_modules leftovers – local configs
Public S3 buckets – 💀
GCP buckets – oops, world readable
Azure blobs – same story
DigitalOcean Spaces – exposed assets
CDN misconfigs – bypassed auth
Browser autocomplete fields
Forgotten subdomains – staging, dev, beta
Wayback Machine – deleted endpoints
Shodan – “is this thing on?”
Censys – exposed services
Pastebin/Gists – creds dropped
Slack/Discord webhooks – full takeover
15 more invites
https://t.co/Z7myE143le
ONLY 2 DAYS TO GO! ⏳
Just 2 more days until "From Day Zero to Zero Day" ships from Amazon! This book means a lot to me and I want to thank everyone who’s joined and supported this journey 🙏
Pre-orders still open - link in comments! 💌
The whitepaper is live! Learn how to win the HTTP desync endgame... and why HTTP/1.1 needs to die: https://t.co/3vZ2bMx9DA
🚨New Black Hat research released: Over $200k in bounties earned in just two weeks. Join the movement to kill HTTP/1.1 today ⬇️
🔍PortSwigger’s James Kettle (@albinowax) introduces two new classes of HTTP desync attacks capable of compromising credentials on tens of millions of sites.
• Exploit previously unseen desync variants (https://t.co/1WxX5HRLGQ, Expect-based)
• Leverage the open-source HTTP Request Smuggler v3.0 toolkit for systematic discovery
• Learn how to protect your websites
#BHUSA
Not at Black Hat / DEF CON? You can still join the mission to kill HTTP/1.1:
- Watch the livestream from #DEFCON at 16:30 on 8th
- Read the whitepaper on our website
- Grab the HTTP Request Smuggler update & @WebSecAcademy lab
Follow for updates & links. It's nearly time!
If you want to be good you need to check for good quality content. @spaceraccoonsec did a master piece. “From Day Zero to Zero Day”
Grab yours. I just did.
https://t.co/LCs1dVazNY
Last Seen Users on Sotwe
Asian Twink⬇️ for Straight Guy⬆️
Budak nakal
Seen from Malaysia
تايه في بحر المتعه
Seen from Kenya
حليمـــــــــه ❤️🔥
Seen from Jordan
Genç Kızlar
Seen from Turkey
Luiz Bear 🎬📽🔞Sao Paulo
Seen from Spain
Ece
Seen from Turkey
XOXMalay HQ
Seen from Malaysia
三原さん。@ゲーム開発屋さん 
Seen from United States
𝓟𝓻𝓸𝓷𝓱𝓾𝓫
Seen from Portugal
Most Popular Users
Elon Musk
@elonmusk
240.6M followers
Barack Obama
@barackobama
119.2M followers
Donald J. Trump
@realdonaldtrump
111.7M followers
Cristiano Ronaldo
@cristiano
110.6M followers
Narendra Modi
@narendramodi
107M followers
Rihanna
@rihanna
97.6M followers
NASA
@nasa
92.2M followers
Justin Bieber
@justinbieber
90.9M followers
KATY PERRY
@katyperry
87.6M followers
Taylor Swift
@taylorswift13
81.5M followers
Lady Gaga
@ladygaga
73M followers
Virat Kohli
@imvkohli
69.9M followers
Kim Kardashian
@kimkardashian
69.8M followers
YouTube
@youtube
68.7M followers
Bill Gates
@billgates
63.9M followers
Neymar Jr
@neymarjr
62.6M followers
The Ellen Show
@theellenshow
62.4M followers
CNN
@cnn
61.9M followers
X
@x
60.8M followers
Selena Gomez
@selenagomez
60.7M followers