Ajay Yadav
49 posts
11 bugs. One target. $40,000.
Critical infra leak. ATO. SSRF x2. OAuth bypass. DoS.
Sometimes one target is all you need.
#BugBounty
English
Ajay Yadav retweeted
Ajay Yadav retweeted
Ajay Yadav retweeted
@7h3h4ckv157 I've read all these books 4–5 times:
The Web Application Hacker’s Handbook
Bug Bounty Bootcamp
Real-World Bug Hunting
Web Hacking Arsenal
Solved 80% of portswigger lab
English
@7h3h4ckv157 Bro,I started learning bug hunting in Oct 2022. By the time I was ready to hunt seriously, Claude AI changed everything. I invested 4–5 years but got nothing — not even a single bounty, all my H1 reports were marked informational. Should I continue or switch to another field?
English
I was just awarded the Philomath badge on HTB Academy! academy.hackthebox.com/achievement/ba… #hackthebox #htbacademy #cybersecurity
English
I have just completed the Intro to Academy module on HTB Academy! academy.hackthebox.com/achievement/25… #hackthebox #htbacademy #cybersecurity
English
@hamidonsolo I started hacking in 2022 & read all these books 4-5 times
The WebApplication Hackers Handbook
Bug Bounty Bootcamp
RealWorld Bug Hunting
Web Hacking Arsenal
Solved 80% of portswigger lab and got $0 from bounty yet.
But Bro You motivated me to start my bug bounty journey again.
English
@a13h1_ Bro What do you think about claude ai that automate vunerabilty checking in source code and automate bug hunting.
English
Recently I identified and responsibly reported a vulnerability in Grok (xAI) via H1.
2 crafted prompt allows the attacker controlled code can be rendered through the AI output, enabling scenarios such as phishing link injection, UI manipulation, and visual defacement since the CSS overlays including fullscreen interface takeover by wiping chatbox too.
Grok conversations can be publicly shared, injected interface could potentially be distributed externally with deceptive or phishing content appearing as legitimate platform output (Publicly accessible).
The report was marked as a duplicate as another researcher had already reported the issue. Still, it was an interesting exercise in exploring how AI can be hacked.
English
Which video + article should I drop next?
1️⃣ Google API Key Mass Hunting & Exploitation for Bug $$Bounties
Finding exposed keys at scale and turning them into real bounty-worthy impact.
2️⃣ Dependency Confusion Attacks: Zero to Hero
Understanding the attack, setting up the lab, and exploiting it in real-world scenarios.
English
@tabaahi_ Bro what happened to you.
Why are you not hunting for bugs since few months.?
English
@hetmehtaa 18hours of thinking & Doing nothing, Me Before going to sleep..... i am whatever he said 😂
English
@7h3h4ckv157 Bro anyway to bypass cloudflare waf for react2shell please..
English
- I understand that running react2shell-ultimate[.]py against random websites isn't research.
- I understand that "I removed the identifying info" doesn't undo the unauthorized access.
- I understand that #BugBounty doesn't apply when there's no bounty program.
- I understand that finding my site on Shodan doesn't constitute authorization.
Well said @gothburz !! 👏
Peter Girnus 🦅@gothburz
Someone found an RCE on my website yesterday. CVE-2025-55182. React2Shell. I don't have a bug bounty program. I never asked for a security assessment. I woke up to a DM: "Hey I found a critical vulnerability in your site. I only ran the exploit to verify it worked. Here's my PayPal for the bounty." Bounty? I checked my logs. Forty-seven requests to my RSC endpoint. Something, something ... Prototype pollution payloads. They used the GitHub script. The one with 2,000 stars. The one that runs id automatically "for verification purposes." They spawned a shell on my production server. uid=1001(nextjs) gid=65533(nogroup) They took a screenshot. They posted it on Twitter. "Popped a Shell on a Live Website 🚀💀 #BugBounty #CVE-2025-55182 #YOLO" They got 84781 likes. My customers' data was on that server. I asked them to delete the screenshots. They said "I removed the domain name, you should be thanking me." Thanking them. For unauthorized access to my production infrastructure. For running arbitrary commands on systems I own. For posting proof of exploitation for clout. They called it "responsible disclosure." I called my lawyer. They called me "ungrateful." I called the FBI. Now they're in my DMs explaining that "this is how the industry works" and I "don't understand pen testing." A pen what? I understand it perfectly. I understand that running react2shell-ultimate.py against random websites isn't research. I understand that "I removed the identifying info" doesn't undo the unauthorized access. I understand that #BugBounty doesn't apply when there's no bounty program. I understand that finding my site on Shodan doesn't constitute authorization. Their followers are defending them now. "Presumption of innocence." "You don't know if it was authorized." "The screenshots were redacted." Three hundred people are calling me a bootlicker for reporting a crime. Someone said I should be grateful they didn't deploy a cryptominer. The bar is underground. I just wanted to run a small Next.js app. I didn't ask to be someone's proof-of-concept. I didn't consent to being their "first" I didn't sign up for an unscheduled penetration test from a stranger with a GitHub account. There is no safe harbor for spraying public exploits at random websites. There is no legal protection for "I was just verifying the vulnerability." There is no ethical framework where unauthorized prototype pollution is a favor. But sure. Thank you for your service. You found a CVE that was already public. Using a tool someone else wrote. Against a target that never authorized you. And you posted about it on main. For likes. Hero.
English
@sudo_a7med Bro How many bug did you reported till and How many accepted?
English
Yay, I was awarded a $1,500 bounty on @Hacker0x01! After getting multiple dups. hackerone.com/root_a13h1 #TogetherWeHitHarder
English
@4osp3l @yeswehack @d3q0w @amsubedi2 How did you get endpoint of url? By fuzzing or any another way?
English
Our first CRITICAL on @yeswehack with @d3q0w & @amsubedi2; got access to critical user's PII including emails, passwords, secrets.. e.t.c
English
Found a critical vulnerability by poisoning the password-reset flow by injecting Collaborator into headers using Burp FakeIP, resulting in account takeover. Scored $4,000
Tip: Use the FakeIP extension to check for link poisoning.
#BugBounty #bugbountytips #CyberSecurity
English