Olivia
Online
Nee_Tech
@tech_nee
Security Researcher, SynAck RedTeam Member, Bug Bounty Hunter, Pentester, OSCP, CRTP, eWaptx2
Joined August 2018
1.6K Following
133 Followers
704 Posts
Pinned Tweet
People think learning Claude takes days. It doesn't.
I wrote 17 free guides that teach it in hours:
Claude 101: https://t.co/QQDmzBAoH5
Claude Code: https://t.co/o782qegoKu
Claude Skills: https://t.co/RgQUCNMqzQ
Claude Connectors: https://t.co/cSPMBUNmRG
Claude for Excel: https://t.co/ZgmUFXd0Iw
How to Prompt: https://t.co/Sw2tg2PMMc
Claude Certificates: https://t.co/LyV7fegv4c
Claude for your team: https://t.co/NakViTGCAL
Stop Prompting Claude: https://t.co/45xPLDRB6Y
AI Slides (PPT in 2026): https://t.co/OY7cHDTV7l
Claude Design: https://t.co/FhlRSlH0aD
Set up Claude Cowork: https://t.co/4jygw4M1RO
Claude to sound like you: https://t.co/LyV7fegv4c
Stop writing like AI: https://t.co/JXKAVP6hdS
Claude as your computer: https://t.co/tQDrcs8drQ
Claude Cowork + Project: https://t.co/xU97EpdrEe
Stop hitting Claude limits: https://t.co/Yu24rPQafQ
___
1. Save this list for later (three dots, top right).
2. Share it with a friend by ♻️ reposting this image.
3. Subscribe to my free newsletter: https://t.co/psB7XxAv8w.
This article on JavaScript analysis for pentesters is a solid walkthrough of:
• endpoint extraction
• hidden routes
• dangerous DOM sinks
• framework-specific attack surfaces
• client-side recon methodology
Worth reading if you're into client-side bug bounty hunting:
https://t.co/4JBnnkbjf3
#bugbounty #websecurity #javascript #infosec #appsec #pentesting
برای بچههایی که هانت میکنن و حوصله ندارن توی js دنبال endpointها بگردن یه اکستنشن Burp نوشتم که امیدوارم خوشتون بیاد.
https://t.co/P6C1TC2bW5
Web LLM Attacks Labs + YouTube walkthrough done
GitHub Repo : https://t.co/aE01SJ4JeM
YouTube Playlist : https://t.co/tWFqXlKBls
Essence Of Recon In Bug Bounty/Pentesting
https://t.co/OsXNyPbojG
Instead of watching an hour of Netflix, watch this 2 hour hour Stanford lecture will teach you more about how LLMs like ChatGPT and Claude are built than most people working at top AI companies learn in their entire careers.
lots of people asked me for my recon methodology
HYG:
https://t.co/KtYEXs0iJk
soon will publish my full WAP methodology...
#BugBounty #hacking #security #hackerone #bugcrowd #integrity #yeswehack
Instead of watching an hour of Netflix, watch this 2-hour Stanford lecture on AI careers. It will teach you more about winning in the AI race than all the AI content you’ve scrolled past this year.
10 Completely FREE AI Courses for 2026:
1. Anthropic: https://t.co/ZaR7FyhkMf
2. Google: https://t.co/0esR4kdA3t
3. Meta: https://t.co/op54kse2NV
4. NVIDIA: https://t.co/RYt4js1BfP
5. Microsoft: https://t.co/cOHAzPAvV7
6. OpenAI: https://t.co/tjvScbgyO6
7. IBM: https://t.co/svSqAAjjh3
8. AWS: https://t.co/2TFpH7w1pM
9. DeepLearningAI: https://t.co/t5I1RrfPJy
10. Hugging Face: https://t.co/KEMV1uhg38
IDOR (Insecure Direct Object Reference)
Impact: Users could access other users’ private data
Root Cause: Missing authorization check on API requests
PoC Insight:
By changing the user_id in an API request, attackers accessed data they didn’t own.
Lesson:
Never trust client-controlled IDs. Always validate ownership server-side.
#HackerOne #BugBounty #CyberSecurity #Pentesting
WAF bypass for XSS can be that simple, change the request method from GET to POST.
The WAF was blocking the single quote we needed for an XSS payload, We managed to bypass by simply changing the request method from GET to POST which bypassed the WAF
#BugBounty #XSS
RCE in tcp connection (rocketMQ protocol)
Everyone Hunt in HTTPS but you can get bug in TCP connection service.
1. Make a .bin file (request body)
2. Use ncat / socat / python for send the request
3. Use burp url for blind test
Join my BugBounty channel https://t.co/J6uPf8H57o
One of the best Best Approach for JS Analysis
https://t.co/Fw9LqYc6nt
firewall block your RCE payload?
WAF Bypass:
cat /etc/hosts - triggers WAF
tac /etc/hosts - 🧙♂️
man /etc/hosts - 😎
nl /etc/hosts - 🤯
less /etc/hosts - 🤫
more /etc/hosts - 😌
strings /etc/hosts - 😁
tail /etc/hosts - 😅
head /etc/hosts -🥱
#BugBounty
rep+ can scan captured JS files for hardcoded secrets like API keys, tokens, and private keys.
Sure, you can do this in the browser with your own regex, but rep+ ships with a bunch of solid patterns out of the box and we’re improving them to cut down false positives (Base64 lookalikes, etc.).
@jackfriks - looks like this Supabase token is anon, not a service key😅
I just shipped the JS Endpoint Extractor in rep+. It grabs endpoints from captured JS and shows them in a clean table (UI still needs work).
Next step is letting you fuzz them with different methods and maybe even extract possible params from the js code. Not ready yet, but I think this will be super useful.
Would love to hear your techniques so I can get inspired and build this the right way !
IDOR bypass techniques
(*alphanumeric identifiers ie user_id = abc123)
New live hunting video out too https://t.co/5FoujITID5
#bugbounty
Last Seen Users on Sotwe
Trends for you
Most Popular Users
Elon Musk 
@elonmusk
240.1M followers
Barack Obama
@barackobama
119.3M followers
Donald J. Trump
@realdonaldtrump
111.6M followers
Cristiano Ronaldo
@cristiano
108.8M followers
Narendra Modi
@narendramodi
106.9M followers
Rihanna
@rihanna
97.2M followers
NASA
@nasa
92.1M followers
Justin Bieber
@justinbieber
90.5M followers
KATY PERRY
@katyperry
86.7M followers
Taylor Swift
@taylorswift13
80.5M followers
Lady Gaga
@ladygaga
72.1M followers
Kim Kardashian
@kimkardashian
69.3M followers
YouTube
@youtube
68.6M followers
Virat Kohli
@imvkohli
68.4M followers
Bill Gates
@billgates
63.4M followers
The Ellen Show
@theellenshow
62.5M followers
CNN
@cnn
61.9M followers
Neymar Jr
@neymarjr
60.9M followers
X
@x
60.9M followers
CNN Breaking News
@cnnbrk
59.9M followers