Ved Parkash

Hey Everyone, do checkout how me and my brother @Zero2Infinity_ bag our 1st $$$$ bounty individually. v3d.medium.com/story-of-bount… #bugbounty #bugbountytips #bugbountytip #bughunter #hacker #cybersecurity #hackerone #bugcrowd

Good resource for a quick search for assets in scope through public BBPs across some of the big platforms. recon.bugtraceai.com

DOM Clobbering is one of those underrated client-side attack techniques that can turn simple HTML injection into full-blown impact 💥 If you're hunting for bugs where XSS seems blocked, this is a MUST-know technique 🔥 Great deep dive from zero → advanced: hacklido.com/blog/43-an-art… #BugBounty #WebSecurity #AppSec #XSS #ClientSide #Infosec #CyberSecurity

Browser extensions for bug bounty hunters: Wappalyzer (Chrome/Firefox) HackTools (Chrome/Firefox) HackBar (Chrome/Firefox) FoxyProxy (Chrome/Firefox) Cookie-Editor (Chrome/Firefox) CORS Everywhere (Firefox) CYFARE Reconner (Firefox) DotGit (Chrome/Firefox) EndPointer (Chrome/Firefox) FancyTracker (Chrome/Firefox) HTTP Header Live (Firefox) Link Gopher (Firefox) Retire.js (Chrome/Firefox) Shodan (Chrome/Firefox) TruffleHog (Chrome) WaybackMachine (Chrome/Firefox) SecurityHeaders[.]io Analyzer (Chrome) OWASP Penetration Testing Kit (Chrome) Js/CSS/HTML Beautify (Chrome/Firefox) Mitaka (Chrome/Firefox) BuiltWith (Chrome/Firefox) ModHeader (Chrome/Firefox) Requestly (Chrome/Firefox) Open Multiple URLs (Chrome/Firefox) User-Agent Switcher (Chrome/Firefox) Drop the ones I'm missing or the ones you find most useful in your workflow #BugBounty #BugBountyTips #WebSec #AppSec #Cybersecurity

How to Hack AI Agents & Application by @NahamSec, inspired by @rez0__ (Follow Them for more) 📍 🧵 👇🏻

LLMs Winning at Pwn2Own 👀 youtu.be/c5XAvRbma6Y

Don’t waste time chasing expensive AI tools. If you can’t build it, you don’t really understand it. That’s where most beginners go wrong. Everyone wants to use AI in cybersecurity, but very few actually learn what’s happening behind the scenes. They rely on tools, copy payloads, and stay stuck. So I tried something different. I fine-tuned a local AI model from scratch and trained it to generate smarter XSS payloads using cross-referenced datasets. No APIs. No cost. Just a simple setup that actually helps you think beyond basic payloads. If you’re serious about learning the real side of bug bounty, this is where you should start. Watch here: youtube.com/watch?v=P1tazh…

GitHub repos for bug bounty hunters: 1. github.com/0xmaximus/Gala… 2. github.com/coffinxp/nucle… 3. github.com/0xKayala/Custo… 4. github.com/HackTricks-wik… 5. github.com/cipher387/Dork… 6. github.com/techgaun/githu… 7. github.com/s0md3v/Awesome… 8. github.com/TakSec/google-… 9. github.com/arainho/awesom… 10. github.com/0xInfection/Aw… 11. github.com/0xMrNiko/Aweso… 12. github.com/Lissy93/web-ch… 13. github.com/jakejarvis/awe… 14. github.com/swisskyrepo/Pa… 15. github.com/m14r41/Pentest… 16. github.com/ayoubfathi/lea… 17. github.com/streaak/keyhac… 18. github.com/devanshbatham/… 19. github.com/SecShiv/OneDor… 20. github.com/Hari-prasaanth… 21. github.com/djadmin/awesom… 22. github.com/Az0x7/vulnerab… 23. github.com/nahamsec/Resou… 24. github.com/daffainfo/AllA… 25. github.com/fuzzdb-project… 26. github.com/qazbnm456/awes… 27. github.com/infoslack/awes… 28. github.com/enaqx/awesome-… 29. github.com/reddelexc/hack… 30. github.com/tomnomnom/hacks 31. github.com/danielmiessler… Drop the ones I'm missing or the ones you find most useful in your hunting workflow. #BugBounty #BugBountyTips #WebSec

Source to Sink: Improving LLM Vuln Discovery 🔥 youtu.be/bxwEZMhqeR0

pentest-ai - 6 Claude Code subagents for offensive security research (engagement planning, recon analysis, exploit methodology, detection engineering, STIG compliance, report writing) 0xsteph.github.io/pentest-ai/

ffuf just got smarter 🤖⚡ ffufai brings AI into fuzzing — smarter payloads, better endpoint discovery, less noise. Stop guessing. Start targeting. 🎯 🔗 Source: github.com/jthack/ffufai #BugBounty #Infosec #WebSecurity #Recon

DOMLogger++ is changing how client-side bugs are hunted — no more guessing, just real data flow visibility. 🔍⚡ From DOM XSS to prototype pollution chains, this tool exposes what traditional debugging misses. If you’re serious about client-side security, this isn’t optional — it’s essential. 🧠💥

A simple vulnerability in postmessage CTI, Been a while since my last bug bounty tip 😂 Not something new, but honestly I liked it Application is integrates with various integration including salesforce, Shopify etc... for example window.opener && window.opener.postMessage({ name: e, value: t }, "*"); window.parent && window.parent.postMessage({ name: e, value: t }, "*"); The app is also missing X-Frame-Options or can be embedded, and cookies are still sent in that context because of weak SameSite settings, an attacker can be able to iframe the page and directly receive users’ PII from those messages. Combined with missing X-Frame-Options and weak SameSite behavior, an attacker could iframe the page and receive the data directly by sending an link containing the exploit below to the user and get all PII or anything in the trusted postmessage. #bugbountytips #bugbounty #bugcrowd

Hunting for 0-days: Where to start? Resource: ibm.com/think/x-force/…

JWT Security Resources 1. JWT Introduction - jwt.io/introduction 2. JWT Attacks - portswigger.net/web-security/j… 3. OWASP JWT Cheat Sheet - cheatsheetseries.owasp.org/cheatsheets/JS… 4. JWT Vulnerabilities Guide - pentesterlab.com/blog/jwt-vulne… 5. JWT Best Practices - curity.io/resources/lear… 6. Exploiting JWT - intigriti.com/researchers/bl… 7. JWT Attacks Writeup - infosecwriteups.com/attacks-on-jso… #CyberSecurity #JWT #WebSecurity #BugBounty

Exploiting BAC vulnerabilities! 🤠

JavaScript Analysis Checklist for Bug Bounty Hunters Stop scrolling endpoints and start reading JavaScript — that's where the real bugs hide. 🧠 1. 🔍 Find All JS Files Check source code, DevTools, and subdomains Don't ignore old or unused files 2. 🧵 Beautify & Read Properly Use DevTools or a JS beautifier Understand the flow — don't just grep 3. 🔗 Extract Endpoints Look for /api/, /v1/, /internal/, etc. Identify hidden or unused routes 4. 🧠 Identify Parameters Query params, JSON keys, headers Focus on user-controlled input 5. 📡 Trace Data Flow Map where input goes → which sinks Monitor DOM, eval, innerHTML, fetch, postMessage 6. ⚠️ Look for Dangerous Sinks eval(), innerHTML, document.write postMessage, setTimeout, Function() 7. 🧪 Check for DOM XSS Map sources → sinks Test payloads in identified parameters 8. 🧬 Prototype Pollution Look for merge, extend, deep object operations Check __proto__, constructor, prototype 9. 🔐 Secrets & Keys API keys, tokens, internal endpoints Hardcoded credentials can be a goldmine 10. 🌐 Third-Party Integrations Review external scripts Assess trust boundaries and data sharing 11. 🧱 CSP & Security Controls Check if CSP is implemented Attempt bypass techniques 12. 🔁 Replay API Calls Modify requests in Burp Suite Test for auth issues, IDOR, rate limiting flaws 13. 🧩 Look for Logic Flaws Missing validation Hidden features or debug flags 14. 📂 Source Maps (.map) Can reveal original source code Often expose additional endpoints 15. 🔄 Follow the App Flow Login → dashboard → key actions Think like a user, not a scanner 📌 Tools give you files. 🧠 JS understanding gives you bugs. #bugbounty #infosec #websecurity #hacking #javascript

$1,000,000 in bug bounties came down to one decision: pick a program and stick with it 👨‍💻😮‍💨 HX007, a hacker in the Bugcrowd community, made over $750K on a single program. Not by knowing more than everyone else. By knowing one target better than anyone else. 🔖 The longer you work a program, the more you understand the dev team behind it. Their patterns, their blind spots, the bugs they keep missing. It stops feeling like hunting and starts feeling like collaboration. When nothing's clicking, HX007 switches to a VDP, racks up some P1s, and comes back with his confidence rebuilt. 💡 More advice from HX007 and why he hunts on Bugcrowd: bugcrowd.com/blog/how-i-hac…

Master broken access control vulnerabilities! 😎 A thread! 🧵👇

@shreyas_chavhan Congratulation @shreyas_chavhan bhai

fun fact: today was also the day I got my first 10.0 critical bounty from Quora. It's sort of my Critical Bounty Anniversary 😂