Olivia
Online
Djinn
@top_djinn
I hack for 🍕 | Red Teamer | Author | Speaker | Bug Bounty Hunter @YesWeHack | Whitehat @Immunefi | 😶 🇵🇰 🇵🇸
Planet Earth
Joined December 2021
475 Following
105 Followers
5K Posts
I’ve added here
https://t.co/HoZmigQxkT
PDF file for XSS, it can bypass any waf
for who looking for Stored XSS , and it can be changed to blind if you want to
Simply I encoded the payload as ASCII hex
You can edit the payload over notepad++
#bugbountytips #bugbountytip #bugbounty
Added a wordlist for path(s) scan on
@assetnote React2shell-scanner
https://t.co/dw7viFGMV3
And now you can use it on a huge list of subs
python3 https://t.co/XI8RLeaqeD -l hosts.txt -t 20 --path-file
paths.txt --safe-check -o results.json
#bugbountytips #bugbountytip
I just Posted My Current Methodology For Discovering Account Takeover via Password Rest Flows at LinkedIn :- https://t.co/sYgYcPljjl
#bugbountytips #Cybersecurity #AccountTakeover
Tip:
Always report Android bugs, even if you think they'll be closed as P5. You might be surprised $$$
#androidsecurity #bugbountytip #bugbountytips
#mobilesecurity
Who to follow
SaiKumar Andure
@saikumar279
Co-founder and Security Researcher @radcipher
linktr - https://t.co/bllqjLyYBY
M1S0 ⧫
@M1S00000
Bug hunter | Ethical Hacker | Web2/Web3 | Blockchain Technology Enthusiast ⧫ ⧫ ⧫ @immunefi
Mohd Danish
@danishsrt
@Synack Red-Team Member- SRT | Student | Ethical Hacker | Security Researcher | Bug Bounty Hunter.
Big #Bugbountytip / #bugbountytips
Google Services Hunting
Google services are amazing, and for bug hunters, it's amazing as well. In some cases, you can get some P1-P2-P3 from these services, such as
Workspaces / Sheets / Groups / Drives / Etc...
In groups: you can access emails / internal data/ credentials
In Sheets, you can access PIIs / Edit access
In Drive: you can access backups/ PII / Etc...
still hard to find and
It was an issue how to make good and at the same time fresh dorks for bug bounty programs
Then I found out that a lot of links have the same path, and it was like this
All Google resources I've found
https://t.co/2SixYDAKvE
https://t.co/tbE8WaX9CX
https://t.co/5D7Clds9cH
https://t.co/OfodYVKOk0
https://t.co/ZyA0JFkax4
https://t.co/mhIbyMF03b
https://t.co/QwByRWofh8
https://t.co/vAwAEX8KxI
https://t.co/4y1UMeZdq7
https://t.co/u7mOVPnus3
https://t.co/V9ALsFoqP9
https://t.co/2eLIaEPCGm
https://t.co/VxllqvwT6n
https://t.co/c1vkp8YrBt
https://t.co/2EkMSEUpIt
UrlScan Dorking:
page.url:"https://t.co/qb3s3f8koJ*"
page.url:"https://t.co/BNLIA1rXht*"
You can replace * => the program domain
Google Dorking:
site:https://t.co/qb3s3f8koJ* "inurl:/a/"
Or for specific domain
site:https://t.co/qb3s3f8koJ* "inurl:/a/domain.com"
GitHub Dorking:
"https://t.co/qb3s3f8koJ"
Or for a specific domain
"https://t.co/FKHqr19e0o"
Shodan Dorking:
"https://t.co/3vQLeWEs54"
Web Archive
https://t.co/c8tGyvVlH7
Don't forget:
It's not just https://t.co/pbqxKC9P4s
still you have to look for docs/groups/mail/drive/spreadsheetsX
still working in Google Research and will add more and more soon ......
Happy Hunting♥
#bugbounty
A few months ago, I found a Prompt Injection vulnerability on Google Tasks.
It was simple, yet tricky.
Google rewarded me with a $15,000 bounty for it.
Here's the full story:
🤭🤭
This might be the best IDOR I achieved so far with $$$$
1- I tried every possible way to access, edit, or delete the target object but nothing works because the team implemented the proper authorization mechanism for that ----
If the admin panel you targeted has a username enumeration , you can brute-force using a wordlist. This has worked many times for me in this case, the username was "admin"
My password wordlists:
Basic: https://t.co/dwZXsZISiJ
Advance: https://t.co/2AvuC5qTqz
Usernames wordlist:
https://t.co/cKCjZbmS39
#bugbountytips #bugbounty
Finding Critical Bugs in Adobe Experience Manager (AEM) https://t.co/6nqra8PbHO
$500 bounty on @Hacker0x01. Found with Claude Code
Added a triage step in my prompt that spawns a new agent with no existing context to verify the finding. False positives have dropped a lot
got this idea from someone's tweet, can't remember who. If it was you, thanks
Two bounties on @intigriti. $3000 + $100
Both bypasses of previously resolved reports
1 year ago: ChatGPT + a lot of manual work to find one of these
Today: gave the old reports to Claude Code, it confirmed the fixes and found bypasses for both. Fully automated
Workflow has changed completely
Old writeup: https://t.co/IpJMqhxlLY
Old tweet: https://t.co/H9IjYOzNAW
@damian_89_ I’ve built a script yesterday for running deepseek 4 pro on a full source code, to do code review
I can share the results today with you when it’s done 👍, so far working well
Found that just using a user ID could generate a valid session token, leading to account creation without proper authentication. Simple but high impact → triaged as P1.
Good reminder: auth & session logic needs deep testing 🔍
#BugBounty #CyberSecurity #AppSec #AuthBypass #P1
Second Write up:
Yeah I got my second bonus $$$ on a public bug bounty program. (EASY Tecnic).
Steps To Reproduce:
1/n
1.Identify multiple contact forms & Observe that all forms are protected by CAPTCHA.
2. The full endpoint /_vcp/test/_test/contactprocess/
I had published a new Writeup about my recent Critical Vulnerability Report on a Private Bug Bounty Program at Hackerone. Enjoy reading:-
https://t.co/bJyKHd4G8P
#CyberSecurtiy
#BugBountyTips
#AppSec
#AccountTakeover
الحمد و الشكر لله الذي بنعمته تتم الصالحات♥️
I got a ~$1,450 bounty for reporting a Critical JWT Authentication Design Flaw leading to potential Zero Click Account Takeover.
Writeup soon.
#BugBounty #AppSec #CyberSecurity #JWT #Standoff365 #SecurityResearch
Bounty : 250 Euro
Well admin can only invite admin and low level user.
POST /api/users/invite/
Expected : role":"admin"
Changed to : role":"SuperAdmin"
I got invited as superadmin.
Got Fixed and rewarded in 8 hours haha
HTTP Request Smuggling -> Auth Bypass
POC ->
1. Found mismatch in frontend & backend parsing
2. Crafted request with conflicting headers
3. Backend processed hidden request
4. Bypassed authentication controls\
#infosec #bugbounty #bugbountytips
Delete highlight cover IDOR bug in Instagram
$3000 Bug Bounty PoC
Write-up:
https://t.co/27HLldM3wl
Last Seen Users on Sotwe
รับงาน นัดฟรี ในเมืองสงขลา สาวใหญ่หรือแม่ม้ายนัดฟร
Seen from Thailand
سالب
Seen from Germany
Audrey ❄️♠️
Seen from Singapore
แม่เลี้ยงขี้เหงา
Seen from Thailand
sultan
Seen from Spain
classic movies
Seen from Turkey
Songül Karadağlı || Ensest ||
Seen from Germany
Kerhane Arşivi
Seen from Turkey
Türk ifşa
Seen from Germany
Daalischus the Barbie
Seen from Netherlands
Trends for you
Most Popular Users
Elon Musk 
@elonmusk
240.3M followers
Barack Obama
@barackobama
119.3M followers
Donald J. Trump
@realdonaldtrump
111.6M followers
Cristiano Ronaldo
@cristiano
109.5M followers
Narendra Modi
@narendramodi
107M followers
Rihanna
@rihanna
97.4M followers
NASA
@nasa
92.1M followers
Justin Bieber
@justinbieber
90.7M followers
KATY PERRY
@katyperry
87.1M followers
Taylor Swift
@taylorswift13
80.9M followers
Lady Gaga
@ladygaga
72.5M followers
Kim Kardashian
@kimkardashian
69.5M followers
Virat Kohli
@imvkohli
69M followers
YouTube
@youtube
68.6M followers
Bill Gates
@billgates
63.6M followers
The Ellen Show
@theellenshow
62.5M followers
CNN
@cnn
61.9M followers
Neymar Jr
@neymarjr
61.6M followers
X
@x
60.9M followers
Selena Gomez
@selenagomez
60.2M followers