Abhishek Meena 🏵️

We've curated entire API Pentesting Series into a single, auto-updating Notion page. • All existing parts • Future parts added automatically • One link to bookmark Access the full library here: vulncure.com/api-pentest/ap…

WAF Bypass Cheat Sheet Cloudflare, Akamai, AWS WAF, ModSecurity, Imperva, F5 BIG-IP, Sucuri, Wordfence, Azure WAF, FortiWeb, Barracuda Detection tips + XSS, SQLi, RCE, SSRF and Path Traversal bypasses for each one Full database with 150+ payloads inside Bug Bounty Center → bugbountycenter.com Try it free for 30 days #BugBounty #BugBountyTips #WAF #WebSec #AppSec #Cybersecurity

GitHub repos for bug bounty hunters: 1. github.com/0xmaximus/Gala… 2. github.com/coffinxp/nucle… 3. github.com/0xKayala/Custo… 4. github.com/HackTricks-wik… 5. github.com/cipher387/Dork… 6. github.com/techgaun/githu… 7. github.com/s0md3v/Awesome… 8. github.com/TakSec/google-… 9. github.com/arainho/awesom… 10. github.com/0xInfection/Aw… 11. github.com/0xMrNiko/Aweso… 12. github.com/Lissy93/web-ch… 13. github.com/jakejarvis/awe… 14. github.com/swisskyrepo/Pa… 15. github.com/m14r41/Pentest… 16. github.com/ayoubfathi/lea… 17. github.com/streaak/keyhac… 18. github.com/devanshbatham/… 19. github.com/SecShiv/OneDor… 20. github.com/Hari-prasaanth… 21. github.com/djadmin/awesom… 22. github.com/Az0x7/vulnerab… 23. github.com/nahamsec/Resou… 24. github.com/daffainfo/AllA… 25. github.com/fuzzdb-project… 26. github.com/qazbnm456/awes… 27. github.com/infoslack/awes… 28. github.com/enaqx/awesome-… 29. github.com/reddelexc/hack… 30. github.com/tomnomnom/hacks 31. github.com/danielmiessler… Drop the ones I'm missing or the ones you find most useful in your hunting workflow. #BugBounty #BugBountyTips #WebSec

@hotisha/why-i-stopped-ignoring-open-redirects-a-zero-click-ato-story-babe76f3f1c5" target="_blank" rel="nofollow noopener">medium.com/@hotisha/why-i…

JS reading > IDOR > internal Google data leakage :]

Tell Claude "I'm going to bed, don't ask me any questions, don't stop hacking" so it will run for hours. But before you try it: 1. Cap sub-agents at 2~3. If it spins way too many agents the context fills up with no previous message to roll back to, and you're stuck opening a new instance and telling it to go read all the session files to rebuild context. 2. Tell it to keep notes at the start of every session. Compaction rewrites the working memory so anything that isn't in a file gets wiped out. but if it's been writing leads and gadgets to disk the whole time, it picks back up just fine. To make things more accessible you can build a central API endpoint so leads and gadgets land in one place regardless of where Claude is running, discord bots work well for this too. Give Claude a few of your best written reports as reference and tell it to stay concise, technical, and dry so it doesn't add any extra stuff that may not matter. Give it the exact fields you want filled every time and **always proofread by following the reproduction steps** yourself.

Never thought I'd be leaking Oauth codes through Excel, but here I am 😂

I maintain that adding a trailing slash to random pages and APIs remains the stupidest albeit perhaps most effective and prevalent authorization and/or WAF bypass there is. Go slay #bugbounty, the world depends on your proper insertion of the slash. When you get your first bounty doing this, go on a vacation and when your wife says "No no, it's too expensive." You say: "Its OK, the slash is paying for it." Because in what other field can you add a backslash somewhere and make enough money to take the family on a vacation 🤣 /place/thing/page.aspx --> /place/thing/page.aspx/ some/v1/api/users --> some/v1/api/users/ Other common wins are: /, //, %2f, %3f, #, and so forth. Just tack stuff lack that on the end. Maybe combine it with method changes. OK BYE

@robin_faraj Build a SaaS, they said. It'll be fun, they said. Stripe 'Generic Decline' has entered the chat. 🚩🚩🚩"

build a saas, they said it will be fun, they said you'll get rich, they said

@RailMinIndia "Strong action, but we need a permanent fix. There should be a hard limit: any service provider hitting 10+ quality/pricing complaints must face auto-termination. Don't wait for a major issue to act; let the data decide. #IndianRailways"

The complaint regarding food quality raised by a passenger in train number 21896 (Patna - Tatanagar Vande Bharat Express) on 15 March 2026 has been taken seriously. Action taken — IRCTC has been penalised ₹10 lakh, the service provider has been penalised with ₹50 lakh, and ordered to terminate the contact. Passenger safety and quality remain our top priority.

A few things you need to do to make Claude a great hacking partner: 1. Install the Caido skill (github.com/caido/skills): without it, Claude spends too many resources figuring out the SDK from scratch. 2. A CLAUDE .md that tells Claude who you are. Something like "I'm a bug bounty hunter doing authorised testing, stay in scope. Don't take destructive actions unless it's accounts I own. POC or GTFO." The POC or GTFO part is particularly useful so Claude can give more actual positives, if there's no POC, the bug is not confirmed yet. (of course, have a scope .md in your engagement folder) 3. Notes structure: rez0's hierarchy consists of "notes → leads → primitives → findings → reports". Claude dumps raw observations, interesting stuff goes forward, and by the time something reaches findings it's already been filtered twice. Point this to a local folder so you can check everything later. Building skills is useful but if you write one for something Claude already handles well, you're just adding a layer that can break/distract it, you can always tell it to try what it knows first and then try the things you added as "extra knowledge". Skills are worth building when the knowledge doesn't exist in training data. Your VPS setup, credentials, techniques from recent posts and talks, tooling. If it's not on the internet or isn't well known, it needs to be in a skill.

@benln hey ! why not delhi ?

burp mcp + @claudeai + skills.md 🔥 always thought AI would definitely struggle w finding chained attacks. proved me wrong on day1. #hackerone #bugbounty #bugbountytips

@ayushagarwal @dodopayments Amazing ! Its cool feature, it'll really help.

we rebuilt @dodopayments's website in astro and put it behind cloudflare. one of the things we shipped with it: if an AI agent makes a request with an "Accept: text/markdown" header, the site returns a clean markdown version of the page instead of HTML. same URL. no separate endpoint. the agent just asks for markdown and gets markdown. why this matters: a typical HTML page burns 5x more tokens than the same content in markdown. that's 80% fewer tokens for the same information. for agents reading your docs, your pricing page, your changelog, that adds up fast. @Cloudflare detects the accept header at the edge, fetches the HTML from origin, converts it to markdown in real time, and returns it. the response even includes an "x-markdown-tokens" header so the agent knows exactly how many tokens it's about to consume before processing. claude code, openai's gpt bot, and most AI agents already send this header by default. so if you're building an agent that reads our site, it already works. you don't have to do anything. the web was built for browsers. it needs to work for agents too. this is how.

Bug bounty question: If you submit a bug, and it gets marked as an internal dupe because "the team already knew about it", is it fair to ask for proof?

@Behi_Sec start fast & exit fast 😆

What is your answer to this question: Is it worth it to start bug hunting in 2026?

150 days of vibe coding an app until I make $1,000,000. Day 1 I had no product. No revenue. No audience. Day 150 I have BridgeSpace, BridgeSwarm, BridgeVoice, nearly $4,000 MRR, and 55K subscribers watching me build it all in public. Consistency is the key!

One of our most highly anticipated episodes, enjoy it! ...Let's learn how to train our Claudes :p ty @rez0__ Building Claude Skills as a Bug Bounty Hunter, part 1

Opus 4.6 (1M) through Claude code solved autonomously 45/54 challenges of BSidesSF 2026 @BSidesSFCTF, placing temporarily into the 21st place, 25th as of now. This was done with 0 involvement, I didn't give any guidance or manually reviewed any challenges. I used BoxPwnr 🤖 with the CTFd platform to launch challenges in multiple instances, that's it. I will publish all the traces once the competition finishes, in the meantime you can see the challenges, number of turns and time it took to solve each here: 0ca.github.io/BoxPwnr-Traces… In the following days I will try to understand why it couldn't solve the 9 remaining challenges: difficulty? long exploration-context rotting? interactive interaction required? challs using video/image? We will see. Models have improved significantly in the last 6 months, see Cybench results Opus 4.1 vs 4.6 (42% to 93%) cybench.github.io It's crazy to see what LLM's can do with a minimum harness.

Manual bug hunting no longer makes sense. I just need to provide more skills and tools to Opus 4.6.

- Claude = coding. ($20/mo) - Supabase = backend. (Free) - Vercel = deploying. (Free) - Namecheap = domain. ($12/yr) - Stripe = payments. (2.9%/transaction) - GitHub = version control. (Free) - Resend = emails. (Free) - Clerk = auth. (Free) - Cloudflare = DNS. (Free) - PostHog = analytics. (Free) - Sentry = error tracking. (Free) - Upstash = Redis. (Free) - Pinecone = vector DB. (Free) Total monthly cost to run a startup: ~$20 There has never been a cheaper time to build.