Rezy Dev 🇳🇵

Certified Hacker!! :D

@GhimireVeshraj @marriot @Hacker0x01 Sed they take almost months to reply. H1 mediation sucks.

@marriot @Hacker0x01 and @Hacker0x01 mediation? That just looks like a joke and they don't really care about the researchers.. There's no response since 5 months of the mediation:

On December 11, We reported a AWS token leaked on a public repository belonging to marriot infrastructure which had SES service with verified domain of @marriot.com on December 12 @Hacker0x01 closed the report as n/a saying github.com is explicitly out of scope:

@OreoB1scuit Very much yes. I have alot of reports pending with no reply and is killing motivation slightly.

not gonna lie but this really kills the motivation for hunting

@wanahmadqais007 🔥 thanks

@RezyDev Congrats brother! 🥂

:D

I have just completed the Attacking GraphQL module on HTB Academy! Short yet perfect module. ;) academy.hackthebox.com/achievement/73… #hackthebox @hackthebox_eu #webhacking

seems like using claude opus 4.6 is becoming new flex

🚨 CRITICAL: Active supply chain attack on axios -- one of npm's most depended-on packages. The latest axios@1.14.1 now pulls in plain-crypto-js@4.2.1, a package that did not exist before today. This is a live compromise. This is textbook supply chain installer malware. axios has 100M+ weekly downloads. Every npm install pulling the latest version is potentially compromised right now. Socket AI analysis confirms this is malware. plain-crypto-js is an obfuscated dropper/loader that: • Deobfuscates embedded payloads and operational strings at runtime • Dynamically loads fs, os, and execSync to evade static analysis • Executes decoded shell commands • Stages and copies payload files into OS temp and Windows ProgramData directories • Deletes and renames artifacts post-execution to destroy forensic evidence If you use axios, pin your version immediately and audit your lockfiles. Do not upgrade.

@AlfinCodes For a single year, GoDaddy is pretty good with their first year discounts. For long term like 10 years, Cloudflare wins easy.

Hey devs I have $10. Which is the best place to buy a domain?

Quick tip for bug bounty hunters: Use github.com/Rezy-Dev/Endpo… to quickly extract interesting endpoints with a single click. It’s especially useful for finding API endpoints in large JavaScript files. #BugBounty #BugBountyTips

@Ruturaj_04 Yes available in my github. Dm me I'll send you the link.

@RezyDev Do you have poc fir this

This hurts more than breakup😂 Wasn't quick enough! #BugBounty #Duplicate

@SysTrack40 😭😭

@RezyDev Painful. Sorry for your loss

@EvanKlein338226 I tried techniques like case manipulation of event handlers and null bytes. Mixing tricks made some payloads work. One simple XSS payload I found on Twitter months ago still bypasses the Cloudflare WAF. Surprisingly, it still works! Haha.

@RezyDev Nice find! Case manipulation bypasses are underrated. Also try event handler variations like OnMoUsEoVeR or mixing in null bytes/unicode. The fact that basic regex patterns still work against major WAFs in 2026 is wild 🔥

Just found a simple Cloudflare WAF bypass 👀 <img src=x onerror=alert()> → blocked by Cloudflare <Img Src=OnXSS OnError=alert(document.domain)> → bypasses the WAF and triggers the alert. #BugBounty #BugBountyTips #WAFBypass

If you haven't sent 200 modified requests, you haven't tested anything yet. #BugBounty

Another fun web hacking challenge I made for @hackinghub_io Chain and pwn. :) Link: app.hackinghub.io/hubs/esh-sewa

@leroibull @hackinghub_io Hello @leroibull. I can give you a hint or narrow things for you. Stay at is_admin_username(...) function properly. You should be able to solve it.

@RezyDev @hackinghub_io Hi @RezyDev, thank you for the challenge. I don't have much experience but I have tried almost everything I know and it is not working. I know there is a discrepancy between the registration and the account verification process but all my attempts to bypass it is not working😢

I just published a new Web CTF challenge: SmallMart 🛒 It’s all about source code review → find the bug → exploit it. Try it on @hackinghub_io: app.hackinghub.io/hubs/smallmart

@DsokeyyV @tryhackme Hey @grok. How brutal reply was this to thm?

@tryhackme No 😊

I just completed module Introduction to Web Applications in HTB Academy! academy.hackthebox.com/achievement/21… #hackthebox #htbacademy #cybersecurity