Olivia
Online
.
@ilogantim
.
Joined January 2021
616 Following
78 Followers
557 Posts
A few months ago, I found a Prompt Injection vulnerability on Google Tasks.
It was simple, yet tricky.
Google rewarded me with a $15,000 bounty for it.
Here's the full story:
I think I have completed client-side security , just one report:
Self-XSS -> Drag-Drop Payload -> Scroll-To-Fragment -> Unchecked postMessage Listener -> Text Injection -> DOM-XSS -> OAuth State Misconfiguration -> Cookie Bomb -> Account Takeover
https://t.co/xQmtZE5At0
$312,500 worth of stored/reflected XSS vulnerabilities in Meta’s Conversions API Gateway allowed Javascript code to run on any Facebook domain and millions of third-party websites. The flaw enabled zero-click Facebook account takeover and more:
https://t.co/7gWpR4LQ8x
Alright so to end 2025 I am going to post something that people have been requesting for quite some time.. As alot know, I have made over $1 million dollars from SSRF vulnerabilities alone. #ssrftips Below I will provide some information on some of the ways that I beat the blacklists/deny lists and cashed in. Any method I post below has worked for me personally in the past. I am not claiming that any of these ways are 'my' discoveries, and in no way am I trying to claim other's work as my own. Simply answering a question that gets asked of me almost daily. #bugbounty #bugbountytips #togetherwehitharder #ittakesacrowd #hackers #hacking #NewYearsEveBountyTips
So lets get into it:
Encoding:
Everyone knows (or should know) about the ability to encode IP addresses. What alot of people dont know is that you can combine encoding types on a single IP. SO instead of encoding the entire IP, encode single octets etc.
Example: Changing the Metadata IP to: 0251.254.169.254 this octal encodes the 1st octet only, leaving the rest of the IP the same. This is the exact method that allowed for my $180,000 from the Yahoo Bug Bounty Program in Oct 2018
Redirects:
Alot of SSRF vulnerable functionality will follow redirects. What many people dont consider is multiple redirects. Never stop at just one. I have found many instances where an SSRF followed all redirects, and would properly block the final redirect to the target internal service (internal ip/metadata server). DO NOT STOP AT 1 REDIRECT! Instead of a single redirect, setup a simple php redirect script that will redirect the request back to the same end point multiple times before finally sending to the target IP/host. I have had many instances in the past where the target properly checks the response of the first 1,2, 3 ....6 redirects then magically on the 7th it no longer performs any valdiation and allows you to hit the metadata. I can't explain why this happens, but its happened enough that this is one of the very first things i test for when it comes to SSRF testing.
TOCTOU:
This is one of my fav's because it almost always can be used to bypass the initial fixes for an SSRF vulnerability. TOCTOU stands for: Time of Check Time of Use. When you pass a url to an SSRF vuln end point, the backend will take the host of this, resolve it (if its not already an IP), check against the allow/block list, then take action. Many frameworks will not cache the DNS lookup response that happens during the initial validation phase. When they forget to do this, having a subdomain properly setup for a TOCTOU check can allow for tricking their checks to allow for hitting banned resources.
How it works: Server resolves https://t.co/aKo0eb63ft to 1.1.1.1 and does their checks to make sure its not a blocked IP. After passing these checks the domain is passed to the function that will actually make the call. If the server did not cache the previous response, it will then resolve the host again as part of the flow to make the request. If you have a properly setup nameserver for this attack, then the instance they make the 1st DNS call, your server quickly changes the DNS entry and points it to the target IP (Metadata/Internal), so that when it gets to the function that makes the request, it resolves the host again and makes the request.
HTTP 2 vs HTTP/1.1 vs HTTP/1.0 vs HTTP/0.9
Several have had success with this in the past. And again, I am not sure why this works sometimes. But if the request is using HTTP/2 and blocks your attempt, try and change it to an older version. I have had success with each of the above at least once (most of the time on Yahoo, but others as well).
Simple/more common things:
dns rebinding, create a hostname on your domain pointing to localhost or an internal IP.
simplify the IP. example: 127.0.0.1 is blocked, so try 127.1, or 0.0.0.0, 0 etc.
Theres tons of other ways that you can get creative and do things like this. This post is just sharing some of the more fun/more unique ways that I have had success in the past. This is not ment to be an exhaustive list of things to try, and is only ment to start your brain working to come up with weird/random/fun ways to beat the black lists.
If you like the information, drop a like/comment/follow and let me know which of the above you have tried in the past, or are looking forward to trying out in 2026. If you end up having success with these, let me know as well!
Use NextJS? Recon ✨
A quick way to find "all" paths for Next.js websites:
DevTools->Console
console.log(__BUILD_MANIFEST.sortedPages)
javascript:console.log(__BUILD_MANIFEST.sortedPages.join('\n'));
Cred = https://t.co/4hiJXDNlmU
#infosec #cybersec #bugbountytips
I'm giving away the secrets to our 20K$ bounty.
Link :- https://t.co/3IWFiOVR47
Cost - 0$
Google just dropped a new LLM!
You can run it locally on just 0.5 GB RAM.
Let's fine-tune this on our own data (100% locally):
The whitepaper is live! Learn how to win the HTTP desync endgame... and why HTTP/1.1 needs to die: https://t.co/3vZ2bMx9DA
𝗔𝗸𝗮𝗺𝗮𝗶 𝗔𝗣𝗜 𝗦𝗲𝗰𝘂𝗿𝗶𝘁𝘆 𝗜𝗻𝘁𝗲𝗴𝗿𝗮𝘁𝗶𝗼𝗻 𝘄𝗶𝘁𝗵 𝘁𝗵𝗲 𝗞𝗼𝗻𝗴 𝗔𝗣𝗜 𝗚𝗮𝘁𝗲𝘄𝗮𝘆.
As organizations increasingly rely on APIs....https://t.co/Xd4mMB4MqZ
#pronteff #AkamaiPartners #GooglePartners #akamai #noname #apisecurity #integration #kongapigateway
alert() with no parenthesis, back ticks, brackets, quotes, braces, etc. by @stealthybugs
a=8,b=confirm,c=window,c.onerror=b;throw-a
Open this thread to master server-side template injection vulnerabilities!
🧵 👇
Onboard yourself - PaloAlto Global Protect edition:
1. Become local admin
2. Export device cert from original workstation
3. Import cert in your VM
4. Login with user creds
5. Enjoy EDR-free testing :)
How to grab all Graphql query/mutation if introspection disabled?
1. Download all js files to directory js_files
2. Run this command:
grep -Eo '(query|mutation) [a-zA-Z0-9_]+\(' js_files -R
1/n
#bugbountytips #graphql
![bugoverfl0w's tweet photo. How to grab all Graphql query/mutation if introspection disabled?
1. Download all js files to directory js_files
2. Run this command:
grep -Eo '(query|mutation) [a-zA-Z0-9_]+\(' js_files -R
1/n
#bugbountytips #graphql https://t.co/bVqIezF0sJ](https://pbs.twimg.com/media/GpL14oDa4AESLBw.jpg)
If you're using #GraphQL, you should be using @MattMueller's https://t.co/sBMP4PFwH9.
It'll cut your code in ½.
$2,500 Bounties in GraphQL Hacking!
Started learning GraphQL security in Feb and picked a HackerOne program—luckily, it was all GraphQL! Found multiple bugs, including two high-severity ones which I wrote about.
Read here: https://t.co/m7YOM8z4Wo
Just published a blog post about this Chrome 0day discovered by @slonser_. It covers how the exploit works, a demo setup simulating a common ATO scenario (with video), and the PoC GitHub repo.
https://t.co/1rMzKg7py8
Question for #BugBounty hunters who do “google-dorking” - how do you handle the CAPTCHA mitigations? In my blog below I showed how I used the Google API but am interested in any other approaches.
You found an XSS! 🤑 But the target has CSP... 😓
And it's set to: "Content-Security-Policy: script-src 'self' https://cdnjs\.cloudflare\.com"
Your injection point: "<p>[INJECTION_POINT]</p>"
How can you bypass the CSP and get that alert(1) popup? 🧐
![intigriti's tweet photo. You found an XSS! 🤑 But the target has CSP... 😓
And it's set to: "Content-Security-Policy: script-src 'self' https://cdnjs\.cloudflare\.com"
Your injection point: "<p>[INJECTION_POINT]</p>"
How can you bypass the CSP and get that alert(1) popup? 🧐 https://t.co/XOWicBnKIC](https://pbs.twimg.com/media/GuhOdDVXAAEg8nI.jpg)
Mutation-Based XSS + V8 type confusion + V8 sandbox escape = RCE on Basecamp.
Disclosed it on Hackerone: https://t.co/slsv3j4jXx
go read the comments if you wanna see what a week of exploit dev pain looks like.
if the target uses zendesk to handle support emails
you could send an email with payload
`{{ticket.ccs[0].name}}a{{ticket.ccs[0].phone}}` by adding `[email protected]` in CC
and extract victim info ranging from phone, address to payment info
#bugbounty #bugbountytips
![rikeshbaniya's tweet photo. if the target uses zendesk to handle support emails
you could send an email with payload
`{{ticket.ccs[0].name}}a{{ticket.ccs[0].phone}}` by adding `victim@gmail.com` in CC
and extract victim info ranging from phone, address to payment info
#bugbounty #bugbountytips https://t.co/jDwIRPrl10](https://pbs.twimg.com/media/GuXDkjoWcAAj-w1.jpg)
Most Popular Users
Elon Musk 
@elonmusk
240.6M followers
Barack Obama
@barackobama
119.2M followers
Donald J. Trump
@realdonaldtrump
111.7M followers
Cristiano Ronaldo
@cristiano
110.5M followers
Narendra Modi
@narendramodi
107M followers
Rihanna
@rihanna
97.6M followers
NASA
@nasa
92.2M followers
Justin Bieber
@justinbieber
90.9M followers
KATY PERRY
@katyperry
87.6M followers
Taylor Swift
@taylorswift13
81.4M followers
Lady Gaga
@ladygaga
73M followers
Virat Kohli
@imvkohli
69.8M followers
Kim Kardashian
@kimkardashian
69.8M followers
YouTube
@youtube
68.7M followers
Bill Gates
@billgates
63.8M followers
Neymar Jr
@neymarjr
62.5M followers
The Ellen Show
@theellenshow
62.4M followers
CNN
@cnn
61.9M followers
X
@x
60.8M followers
Selena Gomez
@selenagomez
60.7M followers