Olivia
Online
hello-testers
@HelloTeste16541
Joined July 2024
392 Following
3 Followers
124 Posts
IDOR Leading to Account Takeover via Email Reassignment https://t.co/097YcT10vN #bugbounty #bugbountytips #bugbountytip
JWT SQL Injection
jti (JWT ID) is stored in a DB to prevent token replay.
That lookup is injectable.
"jti": "' OR '1'='1"
Try it: https://t.co/A01VkoVnjK
Full technique: https://t.co/r4ePoKUoFo
#hack2earn #bugbounty #jwt
How I Discovered a Reflected XSS in Accept-Language Header by Sri Laki Varma https://t.co/feFsrklSnV #bugbounty #bugbountytips #bugbountytip
Exploiting Insecure WebViews: XSS and LFI by Sri Laki Varma https://t.co/NJGjcTo427 #bugbounty #bugbountytips #bugbountytip
Brute SVG Collection
- Use in uploads or rendered remote calls
XSS (no image) https://t.co/0U9DhKgMb4
XSS (valid image) https://t.co/1MqHvvne19
Redirect (default) https://t.co/MuJZXNFLNS
Redirect (custom + warning) https://t.co/QhvFoQvJ9E
Blind XSS https://t.co/QlmvLTZfnA
🦇 How I Took Over Any Account on a Major Platform With One Click — A Client-Side Path Traversal Story
Blog: https://t.co/8hoBBPzmOJ
Author: @hamidonsolo
Most automated scanners miss SSRF because they fail to bypass modern WAF configurations. 🛡️
Here is a quick 3-step checklist to test when you hit a firewall:
1/3
🔁 XXE vulnerabilities remain one of the most difficult injection attacks to spot! 🧐
However, that doesn't have to be the case, as sometimes, they're hidden in plain sight... even in modern applications! 🤠
Our advanced guide covers external DTD bypasses, parameter entity attacks, and blind XXE exploitation, all with payloads for several exploitation scenarios! 😎
Check it out!👇
https://t.co/l9zFtz1kL3
Bug bounty TIPS!
➡️ verified=false → true, “true”, "True", "TRUE", 1, "1", “yes”
➡️ /v3/users/1234 → v1, v0, internal, beta, legacy
➡️ quantity=100 → -1, 0, 9999999999, 1.82376931348623157e+308
➡️ role=”user” → “admin”, ”, null “system”
Thanks #bugcrowd for this
#bugbounty
Just for records, this SQL took me a weeks try exploited with some friends who have good background in SQL and no luck, so big congratulations for this find ❤️
Nice exploit & write
No quotes
No spaces
No Parentheses
No Semicolons
Still SQLi....
Collab with @or4nge16hehe
https://t.co/3sImxZUAzs
#bugbounty
Cross-repository IDOR in `/settings/security_analysis/bypass_reviewers` allows unauthorized delegated bypass reviewer modification https://t.co/ae1wxH3yiT
Finding Critical Bugs in Adobe Experience Manager (AEM) https://t.co/6nqra8PbHO
From Source Code Review to Critical Vulnerability: Critical Firebase API Takeover by 0xm0r4d https://t.co/Ip9JWcz5nt #bugbounty #bugbountytips #bugbountytip #infosec #Firebase
🧰 𝗠𝗨𝗦𝗧-𝗛𝗔𝗩𝗘 𝗕𝗨𝗥𝗣 𝗦𝗨𝗜𝗧𝗘 𝗘𝗫𝗧𝗘𝗡𝗦𝗜𝗢𝗡𝗦
𝗙𝗢𝗥 𝗪𝗘𝗕 𝗣𝗘𝗡𝗘𝗧𝗥𝗔𝗧𝗜𝗢𝗡 𝗧𝗘𝗦𝗧𝗜𝗡𝗚
━━━━━━━━━━━━━━━━━━
🔐 𝗔𝗨𝗧𝗛𝗢𝗥𝗜𝗭𝗔𝗧𝗜𝗢𝗡 & 𝗔𝗖𝗖𝗘𝗦𝗦 𝗖𝗢𝗡𝗧𝗥𝗢𝗟
• BurpLay → replay requests to detect privilege escalation
• AuthMatrix → test access across roles
• Autorize → auto-detect authorization flaws
• Auth Analyzer → test with custom tokens
• Burp SessionAuth → session-based privilege issues
• Authz → quick authorization testing
━━━━━━━���━━━━━━━━━━
🔁 𝗥𝗘𝗤𝗨𝗘𝗦𝗧 𝗔𝗨𝗧𝗢𝗠𝗔𝗧𝗜𝗢𝗡
• AutoRepeater → automate request replay + diff
• IncrementMe Please → auto-increment parameters
━━━━━━━━━━━━━━━━━━
🔍 𝗥𝗘𝗖𝗢𝗡 & 𝗗𝗜𝗦𝗖𝗢𝗩𝗘𝗥𝗬
• LinkFinder → extract endpoints from JS
• JS Miner / JS Parser → find sensitive data in JS
━━━━━━━━━━━━━━━━━━
🔐 𝗧𝗢𝗞𝗘𝗡 & 𝗔𝗨𝗧𝗛 𝗧𝗘𝗦𝗧𝗜𝗡𝗚
• JWT Editor → test JWT vulnerabilities
• Turbo Intruder → high-speed attacks (race, brute)
━━━━━━━━━━━━━━━━━━
🧪 𝗙𝗨𝗭𝗭𝗜𝗡𝗚 & 𝗦𝗖𝗔𝗡𝗡𝗜𝗡𝗚
• ActiveScan++ → improved scanning coverage
• Backslash Powered Scanner → injection detection
━━━━━━━━━━━━━━━━━━
📦 𝗔𝗗𝗩𝗔𝗡𝗖𝗘𝗗 𝗔𝗧𝗧𝗔𝗖𝗞𝗦
• HTTP Request Smuggler → find smuggling bugs
• Content Type Converter → bypass filters
━━━━━━━━━━━━━━━━━━
🧠 𝗣𝗥𝗢𝗗𝗨𝗖𝗧𝗜𝗩𝗜𝗧𝗬
• Logger++ → advanced request logging
• Flow → visualize request flow
━━━━━━━━━━━━━━━━━━
⚠️ 𝗥𝗘𝗔𝗟𝗜𝗧𝗬
Installing tools ≠ finding bugs
Understanding logic = finding bugs
━━━━━━━━━━━━━━━━━━
🎯 𝗨𝗦𝗘 𝗧𝗛𝗜𝗦 𝗟𝗜𝗞𝗘 𝗔 𝗣𝗥𝗢
Start with recon → test auth → fuzz → automate → verify
━━━━━━━━━━━━━━━━━━
🔗 𝗕𝘂𝗿𝗽 𝗘𝘅𝘁𝗲𝗻𝘀𝗶𝗼𝗻𝘀 (𝗢𝗳𝗳𝗶𝗰𝗶𝗮𝗹)
https://t.co/UrWqcuPRJe
━━━━━━━━━━━━━━━━━━
#BurpSuite #WebSecurity #Pentesting #BugBounty #InfoSec
WHAT THE HACK HAPPENS IN THIS YEAR!
cPanel & WHM - Auth bypass (CVE-2026-41940)
here is the exploit POC: https://t.co/uLFJ5XqTc0
Join my bugbounty telegram chennal: https://t.co/J6uPf8H57o
#bugbounty #cpanel #cve
Environment Cross-Trust: Leveraging Staging APIs to Buy for $0.00 by Pedro P. https://t.co/7aVc4HhHWz #bugbounty #bugbountytips #bugbountytip #infosec #APISecurity
$800 Bounty: Privilege Escalation via API — From Scheduler to Team Admin by @a13h1_
https://t.co/jQsEaLNnPw
Last Seen Users on Sotwe
.
Seen from Australia
Arzuberk35 
Seen from Turkey
pp đang tập cơ bụng:)
Seen from Thailand
akudinda
Seen from Malaysia
Ko Kaung95
Seen from Japan
tantebecek
Seen from Oman
Eş Sevgili İfşa Paylaşım Platformu
Seen from Turkey
Gavat Kocaların Boynuz Yeme Mekanı
Seen from Turkey
Baiki
Seen from Indonesia
إيفان
Seen from Netherlands
Most Popular Users
Elon Musk
@elonmusk
240.2M followers
Barack Obama
@barackobama
119.3M followers
Donald J. Trump
@realdonaldtrump
111.6M followers
Cristiano Ronaldo
@cristiano
109M followers
Narendra Modi
@narendramodi
107M followers
Rihanna
@rihanna
97.3M followers
NASA
@nasa
92.1M followers
Justin Bieber
@justinbieber
90.6M followers
KATY PERRY
@katyperry
86.9M followers
Taylor Swift
@taylorswift13
80.7M followers
Lady Gaga
@ladygaga
72.2M followers
Kim Kardashian
@kimkardashian
69.4M followers
Virat Kohli
@imvkohli
68.6M followers
YouTube
@youtube
68.6M followers
Bill Gates
@billgates
63.4M followers
The Ellen Show
@theellenshow
62.5M followers
CNN
@cnn
61.9M followers
Neymar Jr
@neymarjr
61.2M followers
X
@x
60.9M followers
Selena Gomez
@selenagomez
60M followers