Md Injamul Haque

DoS bugs in graphQL are fun! When you run into a GQL (graph query language) instance when testing, check for DoS (denial of service) if it is in scope for the program. It is very common for developers to create a structure that can be queried recursively to cause resource exhaustion, be it CPU, memory, etc, leading to a denial of service for the either the entire graph endpoint or a subset of services/APIs that drive it. What is graphQL? Its basically an annoyingly structured query language built around JSON for calling APIs. Everything is explicit, case sensitive, and generally hates you. Hundreds of APIs can all be gated by a single graphQL instance, allowing developers to create queries or mutations that pull or update data points from multiple back end APIs in a single call. Most of the time the endpoint is "/graphql" or "gql" How does this Denial of Service thing work? I've found a bunch of these in my time in bug bounty. Its actually the first thing I check when I hit a graph endpoint. In its simplest form, lets say we have three different points of data: users, friends, and posts. If we query the "users" object, we can request the friends of that user, and any posts the user has made. As we drill into the friends, we see it also lists the friends posts, and if we drill into posts, we see posts list the "user" object again so we can see who made it. What is the problem? We can build a query that grabs users, and all its posts. Then for each user, all the friends, and all their posts. Then for each post for each friend, which user: pause here. Now we are back to users. So we nest it another layer deeper, for each user of each post of each friend, do it all over again.. and repeat, and repeat, and repeat. Then you run it once and the server dies. But don't actually do that. The catastrophic nature of this type of query is multiplied by the data points you return, so if you find a single intensive/robust field and return it for each loop, that is enough to kill it. When testing this, start small (only one or two deep to gauge the server response time) so you don't hurt anything. If you are able to see that the response time is doubling or more, go ahead and stop and report it for safety. The $8000 bounty was the best I've gotten for this particular bug, most companies aren't super keen to pay for denial of service bugs but they are real enough. Here are a couple good explanations on this: apollographql.com/blog/securing-… graphql.org/learn/security… #hacking #appsec #bugbountytips

I think I’m in love with Next.js 😍😍❤️❤️ I found 2 Admin Account Takeover 🔥🔥🔥 I found the Origin ip in the Js and api endpoint 1. “api/room/dashboard” 2. “api/admin/users” boom 🔥🔥🔥🚀🚀🚀🚀 Big up @badcrack3r @lostsec_ for the api endpoint extension 🔥🔥🔥🔥

Spying on everybody's Discord attachments with HTTP desync tmctmt.com/posts/http-des…

People seriously underestimate how dangerous leaked Google API keys are. With just a little know-how, you can use them to access Gemini without spending money. This clip is just a small demo. I’ve covered a wide range of dorks and methods in my member only video. youtu.be/3KMUnLdlOSE

If you’re hunting for a remote job, you just need to figure out how Reddit works, and you’ll never be unemployed for a long time. Here’s a list of subreddits you should bookmark right now:

Spain condemns the death penalty for Palestinians passed by the Israeli parliament. This is an asymmetrical measure, as it would not apply to Israelis who committed the same crimes. This is not justice. It is a further step towards apartheid. The world cannot remain silent.

claude code in caido go brrrr

I maintain that adding a trailing slash to random pages and APIs remains the stupidest albeit perhaps most effective and prevalent authorization and/or WAF bypass there is. Go slay #bugbounty, the world depends on your proper insertion of the slash. When you get your first bounty doing this, go on a vacation and when your wife says "No no, it's too expensive." You say: "Its OK, the slash is paying for it." Because in what other field can you add a backslash somewhere and make enough money to take the family on a vacation 🤣 /place/thing/page.aspx --> /place/thing/page.aspx/ some/v1/api/users --> some/v1/api/users/ Other common wins are: /, //, %2f, %3f, #, and so forth. Just tack stuff lack that on the end. Maybe combine it with method changes. OK BYE

If you're testing SSRF, don’t forget to try alternative IP encodings 👀 Blacklist filters are often weak, for example, octal encoding can slip through: 017700000001 → 127.0.0.1 This exact trick recently helped me bypass restrictions and successfully exploit an SSRF. #bugbounty #bugbountytips

reddit.com/r/bugbounty/co… Got blocked by cloudflare while using burp proxy, this subreddit helped!!

Block the straight of Hormuz for a week and the world goes mad but block the Rafah crossing for years, preventing the entry of food and humanitarian aid into Gaza and nobody bats an eye. It’s not hard to see that this world values markets, profit and capitalism over human lives.

Insane framing. He was anally gang-raped. He was severely beaten and then anally gang-raped on camera. Both a knife and a taser were reportedly used. There was a hole in his rectal wall. He got surgery for it. Because he was anally gang-raped by the IDF (on camera). He also had 7 broken ribs and other injuries as well. After it happened, Israelis staged multiple large protests in the streets. Not because they believe these soldiers did anything wrong, but because they were infuriated that the soldiers were arrested for anally gang-raping a Palestinian on camera. These protests weren’t just random people. They included multiple high ranking Knesset members (their Congress) who defended the anal gang/rapists. They didn’t stop there. They went after the lawyer who leaked the video. She was publicly smeared, was forced to resign, and was arrested. And now the anal gang-rapists who were caught on camera have had their charges dropped. They didn’t win in court. They weren’t somehow exonerated. The charges were completely and indefensibly dropped. The Jerusalem Post reports that there was sufficient evidence to take this to trial. This is part of a larger pattern of torture and impunity. NYT and many other major outlets have extensively detailed the abuses at the Sde Teiman torture factory. NYT reported that Prisoners lose 30+ pounds, a nurse was anally raped by a metal rod, another man was raped by a dog, and another was anally raped by a fiery hit rod until he died. Yes, the NYT reported all of that. I’ll share sources in the replies. Torture and sexual assault are commonplace at Sde Teiman, and many prisoners die in the process. The UN concluded that rape from IDF soldiers is so commonplace that it constitutes official “strategy of war”. And of course these monsters virtually never face jail time. Because Israelis by and large don’t have any problem with any of it. This is just what their society does. They torture Palestinians.

OTP Bypass via Premature Session Cookie @pauldipesh29/otp-bypass-via-premature-session-cookie-9297ed196d5b?source=rss------bug_bounty-5" target="_blank" rel="nofollow noopener">medium.com/@pauldipesh29/… #bugbounty #bugbountytips #bugbountytip

Waybackurls Guide: Extracting Historical URLs for Bug Bounty @jpablo13/waybackurls-guide-extracting-historical-urls-for-bug-bounty-1ea665dd7c14?source=rss------bug_bounty-5" target="_blank" rel="nofollow noopener">medium.com/@jpablo13/wayb… #bugbounty #bugbountytips #bugbountytip

Never gets old seeing “🎉 Nice Catch” Maybe I need to find way more haha. Both of these were found overnight by claude code 😊

Netflix CORS Misconfiguration (Live PoC) Real bug bounty workflow: finding, validating & exploiting a CORS issue + impact analysis. No theory — pure offensive testing. Watch 👇 youtu.be/3sbC0qBIouE

No one is talking about "Cross-Site WebSocket Hijacking (CSWSH)" vulnerability in #bugbounty , Im mentioning 2 reports to understand better

2FA Bypass offsecrunner.github.io/posts/Broken-2…

PortSwigger dropped their Top 10 Web Hacking Techniques of 2025 and we covered all of them on the pod (in a completely random order) Here's a quick intro of the first 5 we talked about:

10 - @joernchen's parser differential talk from OffensiveCon25 is 28 minutes and worth every one of them. The JSON duplicate keys example is the entry point, Erlang reads the first `roles` key, JS reads the last, auth bypassed but the double Authorization header trick is our fav part: First header is the unsigned JWT with whatever admin attributes you want. Second is your legit low-priv token. Frontend validates the second and the backend grabs the first. youtube.com/watch?v=Dq_KVL… 8 - @salvatoreabello's XSS-Leak has nothing to do with XSS, it's a timing attack against Chrome's connection pool scheduling that leaks cross-origin subdomains without any injection. CTFy origin, but the writeup covers applications outside the CTF context. Chromium only. blog.babelo.xyz/posts/cross-si… 9 - @flomb_'s HTTP/2 CONNECT research needed an extra read off-camera to fully appreciate. He built a Go-based port scanner that runs entirely through HTTP/2 CONNECT tunnels — successful connection returns :status 200, failed returns :status 503. Push raw HTTP/1.1 requests through and read back responses from internal services. If a target accepts CONNECT over HTTP/2, that's a free port scan and SSRF with no other precondition needed. blog.flomb.net/posts/http2con… 7 - @zhero___'s Next.js research goes after the framework's internal cache. `__nextDataReq=1` turns the page response into JSON, `x-now-route-matches` tricks Next.js into treating the request as SSG, flipping `Cache-Control` to cacheable. `__nextDataReq` isn't in the cache key, but `Accept-Encoding` is and every browser sends it... zhero-web-sec.github.io/research-and-t… 5 - @chudyPB's SOAPwn is a quick 93 page read. It's a quirk in how .NET handles HTTP client proxies: feed `HttpWebClientProtocol` a `file://` URI instead of HTTP, the cast fails silently while HTTP setup gets skipped and the SOAP body gets written straight to disk. watchtowr.com/wp-content/upl…

Shopify Account Takeover via Email Verification Bypass | Bug Bounty PoC $22,500 nullsecurityx.medium.com/shopify-accoun… #bugbounty #bugbountytips #bugbountytip