Ever since I started out in bug bounty hunting with zero experience in auditing or penetration testing a few years ago, I never imagined I'd reach this milestone—I'm now in the global top 100 on @Hacker0x01! Thanks to HackerOne for giving me the opportunity to achieve my dreams❤️
HackerNotes TLDR for episode 181! https://t.co/5gNs1B8ijZ
►⠀A wide-scope hackbot pulled 60 to 80 solid bugs in six months, including a blind MongoDB $where injection that turned into env exfil, a bug class most of us gave up on years ago.
►⠀Chain more LLMs, not fewer. Dropping a boss/overseer in the middle plus an escalation agent and a validator made the output go up, not down.
►⠀Auth is still the wall. Around 80% of tokens were getting burned on login and captcha loops until they actually measured it.
►⠀AI gives you scale, not spidey sense. Offload the grind and the "dead" bug classes to the bot, keep the lead-to-finding judgment for yourself.
Bypass Is Our Business
Most 403 bypass tools cover path tricks and a handful of headers. They miss the cases that require understanding how the stack actually works.
Hop-by-hop header stripping is one of those cases. List a restricted header in the Connection field and the proxy strips it in transit. The backend never sees it. You get 200.
unKover covers techniques like this that others miss.
We validated it against our comprehensive testbed covering Nginx, Apache, and reverse proxy chains.
Available on GitHub and integrated into Brute One, our AI-powered bug bounty hunting platform.
OAuth Bypass Testbed
https://t.co/8WHf78YqCz
Test your skills against a LOGIN (randomly vulnerable) and/or 17 AUTHENTICATION SERVER endpoints.
Like with JWT, a fully automated OAuth tool with complete FFF (Find, Forge, Fire) PoCs is on the way, exclusively for Brute One.
Tip — Always use the Wayback Machine's CDX API directly:
https://t.co/kvX6p6J3XI is much more powerful than Wayback URLs because you control the filters. Add &filter=statuscode:200 to keep only the pages that responded.
#bugbounty#bugbountytips
Here's a simple concept that's helped me find a lot of bugs. Once it clicks you can't unsee it.
A huge family of bugs is basically the same bug: two components read the same input and disagree about what it means.
- Injection (XSS, SQLi, code injection): a parser (the browser, DBMS, etc) disagrees with the app about what counts as code.
- Request smuggling: frontend and backend disagree on where the request ends.
- SSRF filter bypass: the validator reads the URL one way, an HTTP client reads it another.
These are called parser differentials, and the idea powers a lot of modern research. Some classes, such as broken access control, play by other rules. You can stop hunting for bug types and start hunting for the disagreement, and that's where the magic is.
I think I’ve created or maybe found a cool and effective way to test for BAC and its classes i.e IDOR/BFLA/…. 1. Burpsuite for User A 2. Caido for User B… this method makes it easy for me to sort/filter requests ( I’ve quickly found and reported 2 IDORs with this technique ).
jwt .io shows you the token. it won't tell you how to break it.
so i built jwtforge.
it audits JWTs for vulns (alg:none, algorithm confusion, kid/jwk injection) and forges working attack tokens with curl/burp/nuclei/jwt_tool ready to run.
all in your browser. nothing leaves your tab.
https://t.co/KhjPzykITx
Yay, I was awarded a $5,000 bounty on @Hacker0x01! by TikTok for a high severity issue. Also huge shoutout to supermancyber for landing me access on this specific asset!
https://t.co/VxyBUYqYXX
#TogetherWeHitHarder
A UUIDv4 packs 122 bits of randomness, so guessing one outright is off the table and that alone is often enough for a program to downgrade an IDOR.
brutecat hit exactly that on Google Cloud's Application Integration: referencing another account's UID let the request through across every endpoint, except the UID was a UUIDv4 and the path masked it, so there was nothing to show as proof.
The same endpoints took a filter parameter built on Google's AIP-160 spec, and AIP-160 supports greater-than and less-than, so a value the response refused to show could still be narrowed by comparison, one answer per request. That turns recovering the UUID into a binary search, and fixing the filter on a single known record pulled the full UUIDv4 out in about 128 requests.
The known record came from the test cases feature, where ListTestCases carried a workflow_id filter inside the protobuf and applied it on the client side. Dropping that field made the endpoint return the test cases of every GCP user, a fair number of them @google.com Googlers running their own integrations, which handed over both a real case to anchor on and the masked owner to recover.
This made the IDOR demonstrable across every endpoint in Application Integration, reached through the same filter parameter that had leaked the test cases in the first place.
Inna lillahi wa inna ilayhi raji’un.
Just 8 days after my mother passed away today a friend in our location also passed away suddenly without any illness i was with him 20 minutes before his Death.
He was trying to fix solar system at a mosque when he mistakenly touched a NEPA/high-tension wire and fell to the ground he didn’t even last 5 minutes Death came that fast.
May Allah grant him Jannah Ameen.
Dear @POTUS, I am an Israeli who has openly supported you for years.
I’m tweeting this from inside a shelter as ballistic missiles fly overhead, and on behalf of all of us in Israel, I ask you:
Give us the green light to destroy the Islamic regime once and for all.
It’s time.