3NVZ

@HarrySandh21970 If bug bounty/cybersecurity would be solved, any other digital field would’ve been solved as well AI is a tool with limits, just as any other tool. If you love hacking, don’t leave

@YourFinalSin sir i am beginner i want to learn cyber security&bug bounty but all are saying this is end leave this area

Is it just me or do various bug bounty platforms feel increasingly worse? First response and triage experience has gone downhill big time. I have multiple P2/High severity reports that are 15-30 days old that weren’t even looked at by triage yet..

@3ftetfw If you do it for the love of hacking and puzzle solving, you’ll be good!

@YourFinalSin it's kinda making me reconsider studying bug bounty. i'm fairly new, time before i can attempt finding a bug is like early next year. by then, shit might be even worse. everything seems cooked.

@3ftetfw That’s crazy I didn’t know that it’s that bad

@YourFinalSin x.com/WhiteHatMage/s…

@Xg0d_ I feel you bro

@YourFinalSin Same bro reported 11 days ago and still no response on bugcrowd 🥲

@ethical_h4ck3r_ Yeah true haha

@YourFinalSin You feel like wasting your time sometimes in bug hunting... after all this wait, and it's marked as duplicate. ☻️

@s4botai77563 Wow that’s a crazy concept

@YourFinalSin This has to be the AI slop for sure. I reported a vuln on a program that you needed to pay a $50 fee to submit a report. Was triaged and payed the same day I reported it

@Jayesh854255941 I only hunt on main apps, so I don’t do any subdomain enumeration or similar

@YourFinalSin Bro how do u select targets man I select targets with wildcards and don't get more than 10-20 Subdomains even which most of them don't have features 😭

Here is a little dork for you, if you wanna learn a thing or two about Client-Side Vuln Hunting! site:blog.criticalthinkingpodcast.io "client-side"

@Jayesh854255941 Yes, exactly

@YourFinalSin Ohh so like when u find Subdomains and all and select a target u try to find bug by checking what feature can have what bugs like Comment section can have a stored xss so u use notes that time to find bypasses and all right?

@Jayesh854255941 Yeah, I kept notes on everything that I was learning and also came back to these notes if I found something similar on a target I’m using Notion for that - it’s free

@YourFinalSin Bro how did u learn about a bug like u made notes for all bugs after solving or while solving portswigger and then reused those notes while hunting?

@Abdelmajid14619 Can't disclose, otherwise it wouldn't be a challenge anymore!

@YourFinalSin congrats what was the bug

First report accepted and paid on GitLab! 💥 Tip: Learn as much as you can about your target from public data/reports, before you start hunting on them

Another nice filter bypass - Can recommend! I just pwned the "Dojo #50 - Bucket Vault" challenge on @YesWeHack! dojo-yeswehack.com/challenge/play…

@th31nitiate Yeah for sure. Especially for highs and crits there’s always a window for an attacker

@YourFinalSin Dammmmm, dups are generally pain, but I always wonder if they can detect them. Cause an attacker can surely use those, if they can't detect them.

Another high-impact GitLab vuln found 💥 Ended up duplicate, but this one involved a nice server-side filter bypass. Getting closer, I’m not stopping until I land that paid High on GitLab!

@root_exe_ind @0xmitsurii @Lakxitt @theitgirliee @EhistheGreat @erebosai @Sigmabond01 @cyber_nii @tech_nishan001 @ApInference Good luck bro ✌️

I am officially starting the everyday posting of the cyber security journey and sharing the daily stuffs and some good stuffs and my daily progress in the cyber security. I am gonna document my never ending journey here. #cybersecurity #motivation #study #hacking #consistency

@EvanKlein338226 Yeah, for sure. They left it open for you to find it haha

@YourFinalSin "Internal Duplicate" after 2 months is brutal. The paid features tip is gold though — found an IDOR in a "premium" endpoint once that was still accessible because they only gated the UI, not the API. Defense in depth? Never heard of her.

A nice IDOR that gave access to essentially every user's private data 💥 Reported -> Triaged -> 2 months later marked as "Internal Duplicate" by the company🫠 Tip: Go deep into the app, you might find endpoints for paid features that are still accessible

Just published a new writeup about a nice chain that led to credit card theft, including a stored XSS, cookie tossing and cookie jar action 💥 Unfortunately, this was marked as informational and my disclosure request was denied lol @YourFinalSin/from-stored-xss-to-cookie-tossing-into-credit-card-theft-396b59b49326" target="_blank" rel="nofollow noopener">medium.com/@YourFinalSin/…

@1___Khalid___ @_tomek7667 I don’t have a special setup. I’m using Burp community edition and a 64gb ram windows laptop with WSL If I need to do sth in a VM I use virtualbox

@YourFinalSin @_tomek7667 Hi my friend, hope you're doing well. I've been following you since the beginning and learned a lot from your posts. Could you recommend a PC setup specifically for bug hunting? I don’t play games—only bug bounty hunting (Burp, browsers, VMs).

This is a very interesting approach on bypassing DOMPurify via String.replace It was for a CTF, but I'm pretty sure it could come in very handy 💀 Kudos to @_tomek7667, insane job! youtube.com/watch?v=mniM5H…