Olivia
Online
DinDinDin
@comores_11
Bug Hunter | Never give up ...
Joined September 2019
100 Following
577 Followers
84 Posts
XSS Tip : Target error parameters on shopping cart pages. ๐
- Find the checkout URL
- fuzz for error, msg, err, ...
- Test for reflection : ?error=XSS&msg=XSS&err=XSS....
Often, these parameters bypass standard encoding.
#BugHunting #HackingTips #XSS
On SPA apps (React/Vue/Angular), use Burp Match & Replace to swap all "false" to "true" in JSON responses.
The result ? Hidden admin panels, debug modes, and restricted UI features can appear. ๐
Don't just test the API, explore the UI! ๐ก๏ธ
#Infosec #WebSecurity #BurpSuite #BugBounty #Pentest
How to bypass WAF on HTML tag with attributes. Another great scheme by @hackerscrolls. #infosec #CyberSecurity #bugbountytip #ethicalhacking
๐ฅ XSS Tip: Raw HTML response vs Browser DOM
When a XSS payload is reflected and filtered in a HTML response, always verify it in the DOM as well.
Why? In the raw HTML response, your payload might look safely filtered or encoded. However, once it reaches the DOM, it can still execute due to JavaScript processing (client-side rendering).
Don't just trust the raw bytes in Burp โ trust the DOM ๐!
#BugBounty #XSS #Pentest #Infosec #WebSecurity #BurpSuite
๐ฅ XSS Tip: Unicode Normalization
Don't give up if <, >, " or ' are filtered ! Many apps normalize Unicode after the WAF/security layer.
Some bypass variants (URL-encoded):
๐น < โ %EF%BC%9C
๐น > โ %EF%BC%9E
๐น " โ %EF%BC%A2
๐น ' โ %EF%BC%87
๐น ` โ %EF%BD%80
For example, inject %EF%BC%9Cscript%EF%BC%9E and check if it reflects as <script> in the DOM.
Automate these quirks with recollapse : https://t.co/bHlpRNB0tK
#BugBounty #BugBountyTips #XSS #Pentest #Infosec #CyberSecurity
๐ก๏ธ #XSS Tip :
1๏ธโฃ Spot a data-.... tag in the HTML response.
2๏ธโฃExample: <div data-user-id="123">
3๏ธโฃ Test the prefix as a new GET/POST param: ?user=REFLECTED or userId=REFLECTED
4๏ธโฃ Result: <div data-user-id="REFLECTED">
The prefix is often a hidden reflected param name ! ๐ฅ
#BugBounty #Infosec #WebSecurity #Pentest #BugBountyTips
Honored to be among the Top Performing Hunters in 2025 on YesWeHack๐
Really happy to hunt on YesWeHack โ great platform and great experience
#CyberSecurity #BugBounty #YesWeHack #XSS
Happy to have been rewarded for discovering a hidden XSS vulnerability with Onetest, a new tool for discovering hidden XSS !
Curious to test it out ? Join the Discord and give it a try : https://t.co/pJ74EanUnG
#XSS #BugBounty #WebSecurity #Onetest
Onetest Extension is now in free beta. Join our Discord for the download link, install guide and your API key. Tell us about any bugs and share ideas for improvements.
https://t.co/UXVScjE7HU
#BugBounty #XSS #OneTest
Join the OneTest Discord! The XSS extension is running a bit late, but weโre working hard to ship the beta ASAP. Check out this quick demo video, all updates and test-lab access will be shared there. See you inside! ๐
https://t.co/UXVScjE7HU
I think I've found 70% of my XSS vulnerabilities automatically in BBP with a tool. I think it can be useful for bb hunters and pentesters. I'll give details of the tool and a test phase in the next few days.
Whatโs your goto method to find XSS quickly?
Stay tuned ๐
1/6 Tired of manually testing every parameter hoping to find an XSS?
Yeah us too. It's time-consuming, repetitive, and let's be honest, not the most exciting part of the job.
So we built a Burp Suite extension @onetestfr to automate the entire process (Caido coming soon).
Rewarded for multiple XSS in bug bounty ๐ฐFound them with Onetest โ the upcoming tool made for XSS hunters. Itโs clean, fast, and built to find what others miss. Coming soon ๐#bugbounty #xss #Onetest #infosec
๐ก Bug bounty - XSS Tip : Found a vulnerable GET parameter? Always check its context in the response! ๐
Example:
If the GET param name is vulnerable and shows up in <script> _cq.name = '[INJECTION]'..., test all param names after _cq. across every response ! You could discover more hidden XSS! ๐๐ฅ
#BugBounty ๐ #CyberSecurity ๐ก๏ธ #WebSecurity ๐ #AppSec ๐ฑ #InfoSec ๐
๐ก XSS Tip : If you find a vulnerable parameter on your target, test all parameters with a similar name structure!
Example:
Vulnerable param found : "user_name"
Test all params starting with "user_" ! ๐ฏ๐ฅ
#BugBounty ๐ #CyberSecurity ๐ก๏ธ #Infosec ๐ #AppSec #BugBountyTips
๐กXSS Tips: When dealing with WAFs ๐ฅ, try combining multiple parameters if possible to form your XSS payload ๐ฅ. This trick can help you bypass filters and trigger the vulnerability! Iโve had great success with this technique !
#BugBounty #XSS #BugBountytips #WebSecurity
๐จXSS Tips : When a param is filtered by the WAF, try adding the same parameter multiple times in your request ! ๐ This can lead to surprising and unexpected results, potentially bypassing the WAF :) ! ๐ฅ
#CyberSecurity #XSS ๐ฅ #WebSecurity #HackingTips ๐ง #BugBounty
@im_crazy26 Yes, on other endpoints where the response has a text/html content type,
๐ก XSS Tips: When requests return a JSON response , always test XSS payloads on the parameters sent in the request! They can be reflected on other pages, leading to vulnerabilities ! ๐ฅ Iโve found plenty of XSS this way ๐ Stay sharp ! #BugBounty #XSS #CyberSecurity #WebSecurity
Last Seen Users on Sotwe
Gujranwala CPL
Seen from Pakistan
Sticky & Sweet๐คด๐พ
Seen from United States
Pecinta Stw Ibu
Seen from Indonesia
Boyd
Seen from Ukraine
cucumber29
Seen from Malaysia
Asian Sex Diary
Seen from Singapore
manu
Seen from Mexico
่ผ็็่ๆฟ Horny Twunk Teacher
HASAN 
Seen from Argentina
ู
ูุฏู ุงุจู ุญูุงู ๐ณ๏ธโ๐๐ค
Seen from Egypt
Most Popular Users
Elon Musk
@elonmusk
240.1M followers
Barack Obama
@barackobama
119.3M followers
Donald J. Trump
@realdonaldtrump
111.6M followers
Cristiano Ronaldo
@cristiano
108.7M followers
Narendra Modi
@narendramodi
106.9M followers
Rihanna
@rihanna
97.2M followers
NASA
@nasa
92.1M followers
Justin Bieber
@justinbieber
90.5M followers
KATY PERRY
@katyperry
86.7M followers
Taylor Swift
@taylorswift13
80.5M followers
Lady Gaga
@ladygaga
72.1M followers
Kim Kardashian
@kimkardashian
69.3M followers
YouTube
@youtube
68.6M followers
Virat Kohli
@imvkohli
68.4M followers
Bill Gates
@billgates
63.3M followers
The Ellen Show
@theellenshow
62.5M followers
CNN
@cnn
61.9M followers
Neymar Jr
@neymarjr
60.9M followers
X
@x
60.9M followers
CNN Breaking News
@cnnbrk
59.9M followers