I'm honestly still in disbelief... grateful to receive a $100k bounty from @meta. Feels surreal. Sharing this to show that with time and dedication, it's possible. This was my first and only submission to Facebook - something I've been chasing for a decade! 🙏 Big thank you to @metabugbounty!
After months of working on this, I’m excited to release my first bug bounty course on @udemy today! This is not a complete course just yet, but I will be regularly updating it with new content and labs!
udemy.com/course/intro-to-bu…
Thanks for 50,000 followers! I’ve partnered with @eLearnSecurity to give back to the community! Three lucky winners will win an eLS course of their choice.
To enter, all you have to do is like and reply to this tweet and follow eLS!
Bug bounty hunters: What’s your advice for someone who’s trying to make their first $100,000 in 2025? What should they do/learn? What should they avoid?
No bounty from @google for getting an RCE on google.com. I know there were some requirements for this to work and I wasn't expecting a $50,000 bounty, but wasn't expecting to "not meet the bar for a financial reward" at all.
At least I can say I "RCE'd" google.
I have worked at a leading bug bounty platform.
Hacked companies like Airbnb, Apple, Snapchat, Department of Defense, PayPal.
Currently enjoying day one of unemployment.
Ask me anything?
I'm excited to announce that I have started a new role at @Hacker0x01 as the head of Hacked Education to help create more content for hackers on #Hacker10! 🎉
I don't understand the hate and shade people throw at content creators. Can someone tell me what the fuck is the actual point in hating on people who are educating others for free?
Here are the slides from our talk at @defcon - "Owning the clout through SSRF and PDF generators". We'll probably write 3 blog posts on a few bug bounty examples soon! Also a big thank you to @daeken for being my partner in crime through this research. docs.google.com/presentation…
Final giveaway of the year🎁:
4️⃣Hand-On Web Exploitation (Course Only hhub.io/2024holidays)
3️⃣Shodan Codes
2️⃣Caido licenses
1️⃣Hands-On Web Exploitation (Certificate+Course Bundle)
To enter drop a 🫶🏼and RT
My Udemy course is listed for FREE using the code 'FREEBLACKFRIDAY 'and then only $9.99 with 'BLACKFRIDAY23'. There’s a brand new update coming to the course in 2024! New labs, new videos and new challenges! 👀
udemy.com/course/intro-to-bu…
I have pushed 3 massive updates to my course since July to include more labs/videos on SSRF, RCE, ATO, 403/401 Bypasses, and more! 🧑🏽💻
👀 I'll give away two free vouchers to two people who retweet and reply with 'RCE' under this post!
ℹ️ More info 👉🏼 bugbounty.nahamsec.training
What are some endpoints that make you excited when it pops up while performing a directory brute force? Here are some of mine:
/api/proxy
/swagger-ui
/demo
/metrics
🚨 @Burp_Suite giveaway 🚨
2020 was a pretty rough year for a lot of people but I want to end the year on a good note. Reply with something you are grateful or proud of that happened in 2020 and I'll pick a random reply and send them a free Burp Suite license! 👇🏽
A group of us started to do this challenge for the entire month of November. Today was day 1. Feel free to join us if you’re up for the challenge.
Will try and update this thread every night.
I have 2 PWK vouchers to giveaway! Two ways to win
1. Join my discord & react to the message posted in announcements. (discord.gg/DWGgpFpm)
2. Like and respond to this tweet with #nahomies
Big thank you to our #nahamcon2022 sponsor, @offsectraining for making this happen.
Alright - doing tomorrow’s giveaway earlier than expected: one 3 month @CaidoIO pro license. All you have to do is like this tweet to enter.
I’ll pick a winner next week!
🚨 Doing a giveaway for my Blind XSS Masterclass
Most people think they know XSS, until they meet blind XSS, the kind that fires where you’ll never see it.
Same methods that helped me earn $250K+ from real reports. hhub.io/nahamsecbxss
🎁 Retweet and reply to enter.
I have a one year and a six month subscription to @PentesterLab for two people who reply with “#NahamCon2022” under this post.
Will pick winners tomorrow.
If you're serious about hitting $100K in bug bounties this year, you need to master these vulnerabilities in 2025.
📌 XSS 🔥
📌 SSRF 🕵️♂️
📌 Path Traversal 🛠️
📌 Web Cache Deception 🏗️
📌 Supply Chain Attacks 🚨
Read it now & level up 👇
nahamsec.com/posts/high-valu…
Lazyrecon: A script intended to automate your reconnaissance process in an organized fashion and creates an html report at the end! github.com/nahamsec/lazyreco…
I get asked how I manage a full time job, content, steam, hacking on top of my personal life. I’m going to answer this once and only once: if you have time to waste on YouTube/Reddit you have time to learn how to hack. I go to bed an hour later and wake up an hour earlier
This Friday is my last day at @Hacker0x01. The last 6 years were have been incredible. I learned a lot of valuable lessons and met a ton of amazing people.
To celebrate I wanted to share the 6 things I learned from my time at h1.
nahamsec.com/posts/6-valuabl…
Introducing The 5 Five Week Program: A program designed to help you find your first vulnerability. At the end of the 5 weeks, I will be bringing someone onto my team to directly work with me on a pentest!
piped.video/Z_Kk1zf16l4
There are time when I really don't wanna stream or make content, then I randomly get messages like this and remember why I started doing all of this in the first place. Thank you! 🙏🏽
What are some books you recommend to someone wanting to break into cybersecurity/hacking to learn the basics ⁉️ Would love to make this a thread on infosec book.
Here are some of my recommendations 👇
Really disappointed to see @Hacker0x01 do this. I also had a similar interaction with h1 about a month ago where they questioned my nationality and place of residence after 10+ on the platform.
I’ve been hunting on H1 for almost 3 years, ranked #18 in 2025, have always tried to contribute positively to the hacker community. I’ve earned around $500k in bounties and was on the road to $1M. Yet I don’t even have HSM, and I feel I haven’t been recognized as I should 1/4
Besides curl and sed/awk/grep, what are some of your most frequently used linux commands that you think will help with hacking? (not including tools like nmap, metasploit, etc)
Check out my latest video on "Creating Wordlists for Pentesting & Bug Bounty Hunting". I also showed how I use @DanielMiessler's SecLists, @TomNomNom's Waybackurls, or Google's BigQuery to create my own wordlists!
LMK what you think of the video!
piped.video/QGbTaxtEQlg
I just realized I have some more @PentesterLab vouchers, thanks to @snyff for sponsoring the LLS stream. Drop a reply under this tweet and I'll pick 3 people and give you either a 3 mo, 6 mo, or 12 month subscription.
With #NahamCon2022EU coming up I think it’s only fair to giveaway a one year subscription to @pentesterlab to someone random responding to this tweet. 👇🏽
Alright twitter, help me out! I'm trying to make a good list of places to find swagger (or swagger.json). Here are few of my favorites:
/swagger-ui/swagger.json
/apidocs/swagger.json
/api-docs/swagger.json
/swagger-ui
/api-docs
/apidocs
/swagger
/v1/swagger.json
This is how a hacker (nojob) was able to find a vulnerability in @port_finance and collect a bounty worth over $600,000 through @immunefi's bug bounty platform!
Thank you @HalbornSecurity for sharing their technical insight on this vulnerability!
piped.video/7BTPf55CHiw
Thread on educational content: 👇👇👇
This is coming from someone who sells a course. You really don't need anyone to teach you _anything_. Especially for bug bounties. The only thing you need in order to become successful is curiosity. To ask yourself "wtf does this mean" & 1/n
Found a pretty neat SSRF on @snapchat and thanks to ideas from @daeken@bbuerhaus, we were able to escalate it a bit. Technical details will be included in our talk @defcon and @BSidesLV (if it gets approved). Enjoy!