![NullSecurityX's tweet photo. App returns:
{"msg": "Welcome, USER!"}
Inject
"}]},"x":1,"y":"<script>alert(1)</script>
👉 If parsed into DOM (e.g., via innerHTML), it’s game over.
⚠️ Watch for JSON.parse() + DOM sink patterns.
#XSS #JSONInjection #AppSec #bugbounty](https://pbs.twimg.com/media/Gt0xMhPXEAAbkyi.png)
Olivia
Online
Er Pratik Panchal🐬
@iDiablo5
💻 = 'print("Playing on :", (@Hacker0x01 + @SynackRedTeam))' exec(💻)
Ahmadabad City, India
Joined July 2014
453 Following
1.4K Followers
2.1K Posts
Popping alert(1) doesn't show REAL impact.
Escalate your XSS by stealing cookies instead👇
Better XSS escalation paths here: https://t.co/aQoQJrGDyf
🧠 Path Traversal in Zip Upload
1️⃣ App extracts user-uploaded ZIP files
2️⃣ Payload includes ../../../../etc/passwd
3️⃣ No sanitization on file paths
4️⃣ Files written outside intended dir
🎯 ZIP → arbitrary write
#bugbounty #pathtaversal
#bugbountytip
SQL Injection Payload
i was able to locate a SQL injection very hard to exploit , with digging I successfully got it with the sleep payload
''||(select 1 from (select pg_sleep(6))x)||'
==> i added as well to my SQL wordlist
happy hunting ♥
#bugbountytips #bugbountytip #bugbounty
CF-Hero is a simple tool that helps you discover the origin IP of Cloudflare-protected servers using multiple sources! 😎
🔗 https://t.co/FyAfHezcun
App returns:
{"msg": "Welcome, USER!"}
Inject
"}]},"x":1,"y":"<script>alert(1)</script>
👉 If parsed into DOM (e.g., via innerHTML), it’s game over.
⚠️ Watch for JSON.parse() + DOM sink patterns.
#XSS #JSONInjection #AppSec #bugbounty
![NullSecurityX's tweet photo. App returns:
{"msg": "Welcome, USER!"}
Inject
"}]},"x":1,"y":"<script>alert(1)</script>
👉 If parsed into DOM (e.g., via innerHTML), it’s game over.
⚠️ Watch for JSON.parse() + DOM sink patterns.
#XSS #JSONInjection #AppSec #bugbounty](https://pbs.twimg.com/media/Gt0xZ1ZXwAAqCJK.jpg)
🧠 IDOR in Mobile API
1️⃣ Mobile app uses incremental user IDs: /api/user/1023
2️⃣ No auth check on user ID param
3️⃣ Change ID → access others' PII
4️⃣ Full account takeover via mobile
🎯 Predictable IDs + missing auth = 💥
#bugbounty #idor #mobileapp #infosec
Discovered a cool Windows LFI during a pentest in a widely used tool. This might be a 0-day — I found over 5k+ affected installations. Possibly another CVE in the pipeline.
Payload: /login/xxx/CustomImages.aspx?XXXX=logo.png..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5cwindows%5cPFRO.log #BugBounty
🧠 WAF Bypass via JSON-Based SQLi
1️⃣ WAF blocks classic payloads in query params
2️⃣ App parses JSON body: {"user":"admin' OR 1=1--"}
3️⃣ WAF doesn’t inspect JSON deeply
4️⃣ Payload reaches backend → SQLi triggers
🎯 JSON input → stealth injection
#bugbounty #wafbypass #sqli
LLMs are getting scary good at red teaming.
AIRTBench just dropped 70 black-box CTFs, no hints.
Models had to write real code to find + exploit vulns.
Results:
Claude 3.5: 61%
GPT-4.5: 49%
Llama 4: 10%
And did it 5000× faster than humans.
Read it: https://t.co/ROeZzy6c2r
#AI #Cybersecurity #LLM #CTF #AIRTBench
Top 100+ Web Vulnerabilities, Categorised Into Various Types:
> Injection Vulnerabilities
1. SQL Injection (SQLi)
2. Cross-Site Scripting (XSS)
3. Cross-Site Request Forgery (CSRF)
4. Remote Code Execution (RCE)
5. Command Injection
6. XML Injection
7. LDAP Injection
8. XPath Injection
9. HTML Injection
10. Server-Side Includes (SSI) Injection
11. OS Command Injection
12. Blind SQL Injection
13. Server-Side Template Injection (SSTI)
14. CRLF Injection
15. NoSQL Injection
16. HQL Injection
> Broken Authentication and Session Management
17. Session Fixation
18. Brute Force Attack
19. Session Hijacking
20. Password Cracking
21. Weak Password Storage
22. Insecure Authentication
23. Cookie Theft
24. Credential Reuse
25. Insecure Login Pages
26. Insecure Session IDs
27. Predictable Login Credentials
> Sensitive Data Exposure
28. Inadequate Encryption
29. Insecure Direct Object References (IDOR)
30. Unencrypted Data Storage
31. Missing Security Headers
32. Insecure File Handling
33. Information Leakage in Logs
34. Hardcoded Secrets
> Security Misconfiguration
35. Default Passwords
36. Directory Listing
37. Unprotected API Endpoints
38. Open Ports and Services
39. Misconfigured Error Handling
40. Stack Traces Exposed
41. Verbose Error Messages
42. Insecure Default Configurations
43. Insufficient Backup Procedures
44. Misconfigured Security Headers (e.g., X-Frame-Options)
> Improper Access Controls
45. Information Disclosure
46. Unpatched Software
47. Misconfigured CORS
48. HTTP Security Headers Misconfiguration
49. Lack of Access Control on Administrative Interfaces
50. Directory Traversal
51. Weak File Permissions
> XML-Related Vulnerabilities
52. XML External Entity (XXE) Injection
53. XML Entity Expansion (XEE)
54. XML Bomb
55. XML Signature Wrapping
> Broken Access Control
56. Inadequate Authorization
57. Privilege Escalation
58. Forceful Browsing
59. Missing Function-Level Access Control
60. Unvalidated Redirects and Forwards
61. Excessive Data Exposure
> Insecure Deserialization
62. Remote Code Execution via Deserialization
63. Data Tampering
64. Object Injection
65. Type Confusion
> API Security Issues
66. Insecure API Endpoints
67. API Key Exposure
68. Lack of Rate Limiting
69. Inadequate Input Validation
70. Lack of Proper Authentication
71. Improper API Endpoint Security
> Insecure Communication
72. Man-in-the-Middle (MITM) Attack
73. Insufficient Transport Layer Security (TLS)
74. Insecure SSL/TLS Configuration
75. Insecure Communication Protocols
76. Deprecated Cryptographic Algorithms
77. Lack of Encryption in Transit
> Client-Side Vulnerabilities
78. DOM-based XSS
79. Insecure Cross-Origin Communication
80. Browser Cache Poisoning
81. Clickjacking
82. HTML5 Security Issues
83. Client-Side URL Redirection
84. Form Hijacking
85. WebSocket Security Issues
> Denial of Service (DoS)
86. Distributed Denial of Service (DDoS)
87. Application Layer DoS
88. Resource Exhaustion
89. Slowloris Attack
90. XML Denial of Service
91. HTTP Flood Attack
92. UDP Amplification Attack
> Other Web Vulnerabilities
93. Server-Side Request Forgery (SSRF)
94. HTTP Parameter Pollution (HPP)
95. Insecure Redirects and Forwards
96. File Inclusion Vulnerabilities (LFI/RFI)
97. Security Header Bypass
98. Inadequate Session Timeout
99. Insufficient Logging and Monitoring
100. Business Logic Vulnerabilities
101. API Abuse
102. JSON Web Token (JWT) Security Issues
103. Insufficient Anti-Automation Measures
> Mobile Web Vulnerabilities
104. Insecure Data Storage on Mobile Devices
105. Insecure Data Transmission on Mobile Devices
106. Insecure Mobile API Endpoints
107. Mobile App Reverse Engineering
108. Weak Mobile Authentication and Authorization
🧑💻 How to get started with Secure Code Review for Beginners
Video: https://t.co/MlJDA9Z8LK
#infosec
🏴 Bypass AI Powered WAFs 🏴
More and more firewalls are relying on AI to detect attacks. However, these AI powered web application firewalls can by bypassed just as easy as the old school ones.
https://t.co/6WPqDOXYQz
#bugbountytips #WAF #Infosec #bugbountytip #XSS #redteam
Free @owasp API top 10 notebook in notion:
https://t.co/a1gAvdfyTY
YES I KNOW IT IS THE OLD VERSION <3
CORS misconfigurations are one of the most underestimated vulnerability types! 👀
If you're neglecting them... you're potentially missing out on high severity bugs! 🧐
In our latest article, we've outlined 8 different CORS exploitation scenarios—including some advanced & browser-specific cases! 😎
Read the article today! 👇
https://t.co/VdPL2fS6ne
Here's my first writeup about Basic Authentication Bypassed via Simple Misconfiguration ⏳
https://t.co/0QUoNC1yuj
#BugBounty #bugbountytips #infosec #misconfigurations #CyberSecurity
AD Hacking resources (just sharing)
Source: https://t.co/8tZCbURWO4
Bypassing Disabled Function via API Manipulation
1) Go to the source code, locate where the function is disabled: true, and change it to false.
2) Intercept the PUT request in Burp Suite.
3) Modify the request body (e.g., limit=1000000) and send it.
#bugbountytips #bugbounty
💥 GitLab Password Reset via Account Takeover Vulnerability paid $35,000 😬
Read the full POC on my telegram channel https://t.co/toRnZMacWL
CAPIE - Certified API Hacking Expert - Lesson material
[WITH CERT OF COMPLETION]- 114 Lessons
Link: https://t.co/9F5ci1kA40
Coupon Code: FEWSDVFVDSF
Did you know you can set Proxify as an upstream proxy? Here's how you do it! 👇
Check out the change of User-Agent once the request is forwarded from Burp Suite to Proxify to the web server.
#proxify #burpsuite #hackwithautomation
Last Seen Users on Sotwe
กระแทกหนูไหม18+
Seen from Thailand
Tuncer Vip Tanıtım
Seen from Turkey
Cift5340fpasif
Seen from Turkey
GençKuduruk
Seen from Turkey
Public Gay Video
Seen from United States
Ffchydc
Seen from United States
يمنيه حلوه
Seen from France
Türk İfşa Paylaşımları
Seen from Turkey
阿薰kaOri
Seen from Russia
@cholitascasero peru
Trends for you
Most Popular Users
Elon Musk 
@elonmusk
240.2M followers
Barack Obama
@barackobama
119.3M followers
Donald J. Trump
@realdonaldtrump
111.6M followers
Cristiano Ronaldo
@cristiano
109.3M followers
Narendra Modi
@narendramodi
106.9M followers
Rihanna
@rihanna
97.4M followers
NASA
@nasa
92.1M followers
Justin Bieber
@justinbieber
90.6M followers
KATY PERRY
@katyperry
87M followers
Taylor Swift
@taylorswift13
80.8M followers
Lady Gaga
@ladygaga
72.4M followers
Kim Kardashian
@kimkardashian
69.5M followers
Virat Kohli
@imvkohli
68.8M followers
YouTube
@youtube
68.6M followers
Bill Gates
@billgates
63.5M followers
The Ellen Show
@theellenshow
62.5M followers
CNN
@cnn
61.9M followers
Neymar Jr
@neymarjr
61.4M followers
X
@x
60.9M followers
Selena Gomez
@selenagomez
60.1M followers