I earned $6,000 for an SSO bypass in @Hacker0x01 !
💡Tip:
Always test authentication endpoints with encoded whitespace. A simple %20 (trailing space) bypassed SSO completely and fell back to the legacy login flow.
The Issue:👇
The application normalized input after checking for SSO eligibility. By appending an encoded space to the email parameter, the check failed and the request was routed to the standard auth flow.
#bugbountytips #hackerone
🚨 Google Tag Manager + CSP = XSS? 🤯🔥
A common CSP setup recommended for Google Tag Manager can open the door to XSS attacks. Bug hunters and pentesters should know this trick. 👀
🔍 Read: https://t.co/ruSV0cgCD4
💎 More bug bounty tips & writeups:
👉 https://t.co/FeMz53HSN0
Prompt Injection via PDF -> AI Data Leak
POC ->
1. Uploaded a PDF containing hidden instructions
2. AI assistant processed the document for analysis
3. Malicious prompt overrode system behavior
4. Internal prompts and sensitive data were exposed
Learning ->
1. Treat uploaded documents as untrusted input
2. Separate AI instructions from document content
#BugBounty #CyberSecurity #BugBountyTips #InfoSec #AISecurity
Bug Hunting!
You learn the fundamentals, understand how things work, then start digging into the code or the application itself to find vulns.
In the past, during manual code reviews, we’d spend a lot of time using IDE search, grep, and regex to find interesting patterns or potential issues. With LLMs, you can get a decent understanding of how a system works very quickly and start asking questions like “what could go wrong here?” or “where are the trust boundaries?”. The model will often point you toward interesting areas to investigate.
Sure, hallucinations happen. That’s why expertise still matters. If you understand the domain, you can push back, provide better context, and validate the findings yourself. But if you know what you’re doing, you’ll find some pretty juicy stuff a lot faster than before.
My advice:
- Learn English
- Learn the fundamentals
- Give the LLM the right context
- Push back and use critical thinking
- Make money with LLMs
Also, think about cost. If a task can be solved with a deterministic function, do that instead of throwing it at an LLM. If you’re spending more than you’re making, it’s probably time to rethink your approach.
PDF Generator SSRF -> Internal Service Access
POC ->
Found feature that converted URLs to PDF
Supplied internal URL instead of public website
PDF service fetched internal resource
Retrieved data from internal services
Learning ->
Restrict URL fetching in PDF generators
Block access to internal IP ranges
#BugBounty #CyberSecurity #BugBountyTips #InfoSec
Found a 1-click account takeover via postMessage. No phishing, no fake login page, just one click and a full-access token.
Wrote up the full breakdown and also gave the whole site a little revamp while I was at it.
https://t.co/piH3rZg9LN
I created a challenge based on one of my Google bugs worth $12,000. It is an OAuth misconf. I will drop a writeup for it soon, before that, give it a try & practice, it doesn't matter if u r capable of solving it or not, just click and start poking 🙂
https://t.co/lAW53dVyk5
1/ We are sharing additional details regarding our investigation into unauthorized access to GitHub's internal repositories.
Yesterday we detected and contained a compromise of an employee device involving a poisoned VS Code extension. We removed the malicious extension version, isolated the endpoint, and began incident response immediately.
To guys who are struggling to get their first valid bug/bounty this is a list of Self hosted Bug Bounty Programs that paid me for reporting Vulnerabilities :
- https://t.co/Cv72T2Px6C
- https://t.co/xSuSIJIw64
https://t.co/i7EXfoyBNA
- https://t.co/zlA1IEr1LC
More in comments
PDF Generator Injection → SSRF
POC →
- Tested PDF export feature
- Injected external image URL in HTML
- PDF service fetched attacker-controlled URL
- Accessed internal network resources via SSRF
Learning →
- Sanitize HTML used in PDF generation
- Restrict outbound requests from backend services
#infosec #bugbounty #bugbountytips
If an app fetched PDFs via ?url=http://internal.corp/file.pdf
— classic SSRF setup. Bypass? Enumerate internal PDF subdomains. Swap the file ID → other users' docs. SSRF + IDOR chained.
🔥 #bugbounty#SSRF