whatever
198 posts
⚡ Exposed .git/config File Leading to Potential Sensitive Information Disclosure
👨🏻💻 zoroo2 ➟ curl
🟨 Low
💰 None
🔗 hackerone.com/reports/3612891
#bugbounty #bugbountytips #cybersecurity #infosec
English
whatever retweetledi
English
Spot the Bug 🧠
Session restore helper
What’s the issue in this code?👇
English
Everyone who wants to learn:
1️⃣ XSS
↪️ SSRF
🤔 OWASP
🪟 DOM XSS
🔐 Auth bypass
💉 SQL injection
📁 File upload vulns
📦 GraphQL Hacking
🧰 Burp Suite Mastery
🧠 Business Logic Flaws
💔 Broken Access Control
🏴☠️ Real Exploit Techniques
💥 Much, much, much, more
I hope you found this account.
English
less than 30 days, i’ve earned over $7.000 from bug bounties (Shopify, TikTok, and others).
today, Shopify awarded me $3,475 for a security finding. im 19 and this feels unreal. you dont need to be a “genius.” you just need to stay curious long enough.
#bugbounty
#hackerone
English
@devs_lyfe Depends on the effort bro. ...for an xss, yeah!!!!!!! But for rce on a multi-trillion dollar company????...18k can't even satisfy a help-desk
English
OG received 18k in bug bounties!
Shit I’ll just be happy to receive 5k 😂
dawgyg - WoH@thedawgyg
That was a bit disappointing... Just got $7000 for my Chrome heap overflow read. And $11,000 for the heap overflow write.... no bonus for report quality... ignored the bisect that was included... $11k for RCE in the renderer seems a bit low... so time for a new target...
English
$5K on the line. 💰
3 minutes to find one bug.
Which vuln class are you betting on? 👇
English
whatever retweetledi
🚀 **Hack Like a Pro:** Extract IPs from Shodan HTML in Seconds! 🔥
Sick of digging through HTML? Let `grep` do the work! 💻
```bash
grep -oP '(?<=).*?(?=)' ip.html > ips
```
1️⃣ **Save Shodan page source as HTML**
2️⃣ **Run this command**
3️⃣ **BOOM 💥** — All IPs extracted to `ips`!
Master your toolkit! #KaliLinux #HackingTips #CyberSecurity #Shodan #OSINT
English
whatever retweetledi
Watch BurpAI find and exploit a Server Side Template Injection bug.
Video by @0xTib3rius, for the full video check out 👇
youtube.com/watch?v=eQBD2-…
YouTube
English
@thedawgyg I haven't yet used AFL++...what's the difference with ffuf, I come in peace🛀
English
ALF++ Customer Mutators.... Using one for the first time... Its incredible how much of a difference these little things make in the fuzzing campaign. No crashes yet on the new target (only been running for 20 hours, so thats expected). But added the custom mutators 30 mins ago, and they are doing very well finding new paths.
English
@bumbukacan48228 thank you! both move to P1 this morning as well. And have a 3rd that should be S0/P1 xD
English
Another day, another #SQLInjection. This time, it's in the User-Agent header, leading a full database takeover. Keep testing SQLi on everything and everywhere... #SQL #SQLinjection #BugBounty.
English
@thedawgyg did you at least put a rate-limit on the Agents before they achieve full autonomous bug bounty optimization? 😭
English
I gave the Agents access to all 3 of my fuzzing rigs. They are now controlling all 3 of them, putting the better harness on the others, and relaunching the campaigns on all machines lol. It has now taken over my distributed fuzzing network 😂😂😂
dawgyg - WoH@thedawgyg
After it wrote a better harness and proved my 3 bugs would trigger it, it killed all my running fuzzers and launched the new ones telling me it would have abetter chance of fidning bugs that way lol
English
Waking up to a vuln from my Agent is the best possible outcome <3 it has a report and poc (html trigger + exploit) that works in production chrome waiting for me... this is gonna be fun
English
@thedawgyg Meanwhile I’m still manually refreshing my terminal like it owes me money.🤦♂️
English
'Watcher Agent' is now watching the afl-whatsup output (with watch updating every 2 seconds). and when any of the 50 fuzzer instances finds a crash, its going to let 'Triage Agent' know, who will use my trige scripts to validate the bug. Then pass it on to 'Exploit Dev Agent' to work on creating and verifying (with screen shots, asan traces, build commands etc) and providing me with a report on what to verify and where to submit lol
English
@0x686967 @__mutale__ to some i guess we still seem like magicians lol
English
Emulator up, now to throw in frida. Pixel 8 AVD / google api/emu root
Rawr.
English