Olivia
Online
Arul Kumar
@arul_sec
Gamer | Hacker | Computer Enthusiast | Bug Bounty Hunter | Techie
India
Joined September 2010
2.3K Following
939 Followers
1.2K Posts
Pinned Tweet
🚀 Just published a new Blog post!
I’ve released React2Shell on GitHub, an intentionally vulnerable Next.js app packaged with Docker for anyone who wants to play around with CVE-2025-55182 exploit.
🔗 Read the full blog here:
https://t.co/X2TghRbPyo
#react2shell
Finds real IPs hidden behind Cloudflare domains
https://t.co/yaQ9AaHbSu
⚡ Recon Tip: Don't stop at subdomains.
CF-Hero helps uncover potential origin IPs hiding behind Cloudflare by combining historical DNS intelligence, infrastructure correlation, and security search engine data.
Could be a valuable addition to your recon workflow when mapping large attack surfaces.
📦 Repository:
https://t.co/fKSIrKYOXK
#BugBounty #Recon #CyberSecurity #Cloudflare #OSINT #InfoSec
Need to lookup a ton of IPs quickly? Check out our InternetDB API: https://t.co/K8YcZ5Sr6K
Who to follow
Jasminder Pal Singh 🟦 
@Singh_Jasminder
Official Expert at @flutterflow | CEO at @teamwspofficial | Building @tfinvites & https://t.co/WmxKTRbjZS | Indie Creator
Evan
@evanricafort
hacking & riding bike for fun | pentester / bug bounty hunter ◬
રવિકુમાર રમેશ પાઘડાળ 🇮🇳
@_RaviRamesh
ESTJ, Blooming plant in Infosec, Poet & Story writer, Thinker
We offer a free and simple API endpoint to grab all the hostnames for a domain based on the certificate transparency logs: https://t.co/xAuMunXvYM
Sample Python code available in the Shodan book: https://t.co/36mxTrS2QS
@pdiscoveryio has had a huge impact on the bug bounty community with tools like Nuclei, Httpx, Katana, Subfinder, Naabu, and many more.
But beyond the popular tools, they have built several lesser-known gems that can make recon, validation, and vulnerability research much easier.
Here's a thread on some underrated ProjectDiscovery tools worth checking out 👇
#BugBounty #CyberSecurity #InfoSec #Recon #ProjectDiscovery
I gave a talk to @ritsecclub on behalf of @Bugcrowd at the start of the month about hacking web applications. It's not too technical, but I hope some of you will find it useful nonetheless:
You can watch it here:
https://t.co/aaStnLLsI4
#bugbounty
Found a cool bug at Meta.
From misconfigured Grafana instance to R/W access on 507 private Meta repositories.
Wrote up the full chain here:
https://t.co/LYQ0prc68d
$157k bounty awarded by @metabugbounty
Episode with GreenJam about hacking Adobe!
And honestly it's hard to watch it without wanting to open a tab on their program. 👀
https://t.co/pX4LQvrufg
Secrets & JS Analysis tools for bug bounty hunters:
1. TruffleHog - https://t.co/bF8Rw2eXVj
2. Gitleaks - https://t.co/dQCmWrSG7b
3. KeyHacks - https://t.co/7zNTRGndJw
4. SecretFinder - https://t.co/XkCQ0n360e
5. JSLuice - https://t.co/X8AfzYdYI0
6. jsleak - https://t.co/qH60NHplg1
7. JSAnalyzer - https://t.co/SICIPuicck
8. Nosey Parker - https://t.co/3mHGBR1jhZ
9. GitDorker - https://t.co/8odxEEa2RF
10. git-dumper - https://t.co/bV4rs9wOO6
11. GitTools - https://t.co/7JfIlK1tA3
12. Badsecrets - https://t.co/uBzvxcth9c
13. Secrets Patterns DB - https://t.co/cwMx9Fp8td
14. Detect-Secrets - https://t.co/LhhS4eyxF4
15. Git-Secrets - https://t.co/c8L6AtLxbK
16. Hardcoded Token Hunter - https://t.co/5u5lORrw3W
17. Dependency Confusion Hunter - https://t.co/aEN1Ewi49Z
18. github-search - https://t.co/qDVo9Ls4KT
19. Secrets[.]ninja - https://t.co/EY2Vh7Et2x
Drop the ones I'm missing
#BugBounty #BugBountyTips #Secrets #JSAnalysis #Cybersecurity
Audits exposed Swagger API endpoints
https://t.co/gbNfuoRl0a
Found an exposed Swagger/OpenAPI file on your target? 🧐
Sj by @BishopFox audits endpoints defined in Swagger docs automatically, tests all defined endpoints, generates curl/sqlmap commands, and even bruteforces for hidden definition files! 🤠
Check it out! 👇
🔗 https://t.co/x41DTGB6dR
Google API keys didn't use to be considered "secret," so they're all over the web-- but now they are an open door to Gemini 🫠 Quick rundown video of Truffle Security's really nifty research, almost 3,000 websites exposed.. including Google themselves😅
🔗 https://t.co/HRIKqI8zK1
Stop missing attack surface behind Round Robin DNS. 🛑
By default, tools often check just one IP. Force httpx to enumerate ALL resolved A records for every subdomain using -probe-all-ips.
Use this Command👇
httpx -l live_hosts.txt -probe-all-ips -silent -o multi_ip_hosts.txt
Essential for finding hidden origins and inconsistent WAF protections.
#recon #httpx #infosec
Datr cookie theft and AI leading to Facebook account takeover ($24,000)
https://t.co/n2MVZKxDBg
Two-click Facebook account takeover via FXAuth ($30,000) https://t.co/MtuvFzGRsS
Self-XSS in Facebook payments flow leads to account takeovers ($62,500)
https://t.co/D7qXu1Avim
Want to build a high-quality wordlist without the clutter of full URLs? 🏗️
By using the path filter in Katana, you can strip the protocol and domain to isolate the raw directory structure.
This gives you a clean list of endpoints ready to be piped into your favorite fuzzer or used for sensitive file discovery.
#Recon #katana
Sharing my Burp Extension that earned me $200k in 2025 while API testing heavy JS-rich targets.
https://t.co/2ttRurgoPh
The tool helps find endpoints, files, internal emails, and some secrets from minified JS.
Its goal is to achieve maximum efficiency with reduced noise in results. Contributions and feedbacks are welcome.
🎅mongobleed - poc for CVE-2025-14847. Leaks data from mongodb instances due to flaw in zlib message decompression. Reminiscent of heartbleed ❤️
THC Release 💥: The world’s largest IP<>Domain database: https://t.co/o4F8M1Pqi1
All forward and reverse IPs, all CNAMES and all subdomains of every domain. For free.
Updated monthly.
Try: curl https://t.co/5V2xLadmx5
Raw data (187GB): https://t.co/cBZOSAE89K
(The fine work of messede 👌)
🚨 A new CVSS 10.0 vulnerability (CVE-2025-55182) in RSC and the Flight protocol enables unauthenticated remote code execution. If you run RSC or a framework that ships it, this is a patch-now moment. In our latest OffSec blog, we break down how the exploit works, what’s affected, and what to do next: https://t.co/iUZagwJMwI
Pushed a new update to https://t.co/9CqANckHK0 -- it now scans for the RCE payload via reflection. Use the --waf-bypass flag to bypass WAFs, works well for Cloudflare/AWS. Other WAFs might need tinkering with the payload, depending on whether they don't have a max context limit.
Last Seen Users on Sotwe
Cocks, Cum and Creampies
Jono Mardigu
Seen from Netherlands
Cewek Exclusive
Seen from Netherlands
khoai Lang Thang
Seen from Vietnam
Hijab Feet Finder
Seen from Egypt
pecinta binor
Seen from Indonesia
Sưu Tầm Trai Ngonnn
Seen from Vietnam
فيصل
Seen from Germany
PREMİUM VİDEOLAR +19
Seen from Turkey
Lauren Alexis Leaked Nude Sex tape
Seen from Netherlands
Most Popular Users
Elon Musk
@elonmusk
240.3M followers
Barack Obama
@barackobama
119.3M followers
Donald J. Trump
@realdonaldtrump
111.6M followers
Cristiano Ronaldo
@cristiano
109.7M followers
Narendra Modi
@narendramodi
106.9M followers
Rihanna
@rihanna
97.4M followers
NASA
@nasa
92.1M followers
Justin Bieber
@justinbieber
90.7M followers
KATY PERRY
@katyperry
87.2M followers
Taylor Swift
@taylorswift13
81M followers
Lady Gaga
@ladygaga
72.6M followers
Kim Kardashian
@kimkardashian
69.6M followers
Virat Kohli
@imvkohli
69.1M followers
YouTube
@youtube
68.6M followers
Bill Gates
@billgates
63.6M followers
The Ellen Show
@theellenshow
62.5M followers
CNN
@cnn
61.9M followers
Neymar Jr
@neymarjr
61.8M followers
X
@x
60.9M followers
Selena Gomez
@selenagomez
60.3M followers