Thee Eclipse

A write-up about an interesting SSRF chain I found earlier this year eib.hashnode.dev/crafting-a-ful…

Vulnerability-spoiler-alert has detected its first two live “negative-days” in Grafana! CVE-2025-41117 (XSS) and CVE-2026-21722 (Privesc) are still unpublished right now, but is detectable via commits in the open-source repo. That’s at least 1 hour early. PoCs and more at vulnerabilityspoileralert.com

Cloudflare Bypass Tool based on SeleniumBase UC Mode github.com/1837620622/clo…

🎲My 2025 Hacking Recap on @Hacker0x01 🎲 Got the Global 70Th and 1st for my country #Kenya 🇰🇪. I did not achieve all the personal milestones but it was a successful year with 100+ validated hacking instances. 2026: Work on high and critical hacking ONLY #Hacking #Cybsecurity

Just published my first blog post "Cache Deception + CSPT: Turning Non Impactful Findings into Account Takeover" You can read the full write-up here: zere.es/posts/cache-de…

~XSS checklist With a new video out ! youtu.be/wI0uxV_U1lc #bugbounty

GCP’s instance metadata service is still one of the most interesting targets in cloud environments. SSRF protections look strong on paper but subtle parsing quirks can break them completely. Three neat bypasses: [image] What makes these relevant in 2025 is not the exact payloads (patched long ago) but the thought process: - Protocol mismatches (HTTP/1.0 vs HTTP/1.1) - URL normalization differences - Parsers discarding parts of a path (; or //)

~Subscription model testing checklist New POC video out too youtu.be/uh75G0bUhPQ #bugbounty

#bugbountytips #bugbounty How I was able to find multiple critical vulnerabilities to get Full Account Takeover with the help of PlayStore and AppStore region settings.

need uuid but cant find it anywhere ?? just go to target's community discord server ton of people are pasting their error message/screenshots asking for help😂 #bugbounty #bugbountytips

How to bypass Cloudflare WAF? @FearsOff #bugbountytips #cloudflare #waf #bypass 1. Found an SQL injection but getting blocked by Cloudflare? Here's a pro tip 😏

~JWT checklist New video out too youtu.be/sb3phDiGA0Q #bugbounty

@SerialPwny @infinitelogins No, just username is enough

My profile on the #Disclosed Hacker Directory! disclosedonline.com/u/theeeclipse 🫡Perfect work by @infinitelogins #BugBounty #CyberSecurity

@_mailler @trevorsaudi 😂😂

@trevorsaudi @Thee_Eclipse 😂 Tutalala tukiondokea huku.

I think we’re close to a possible high/crit (big maybe) then here comes cloudflare with a 1 hour ban for every 3 req🤣

~Ssrf New video out youtu.be/i_Cb2GIdcLs #bugbounty

Good morning, our programme for the day. #BSidesNairobiPreCon2025 @SafaricomPLC @Hacker0x01

~Features likely vulnerable to race conditions new video out too youtu.be/fi3p5QuiI68?si… #bugbounty

lol, this works on Firefox: <object data=# codebase=javascript:alert(document.domain)//> OR <embed src=# codebase=javascript:alert(document.domain)//>

xcrawl3r: Give It a Spin! Unlike xurlfind3r, xcrawl3r interacts directly with the target by spidering its pages. This approach allows it to discover URLs that may be hidden or unindexed, providing a complete picture of the website’s navigational flow and content distribution.