whatever

@the_IDORminator I knw this is very unnecessary but I have to ask...how do u pick a target? And what bugs do u find mostly a success in ur approach

@__mutale__ Lol thanks, I have great parents!

I spent ~6 hours yesterday working on a target. If you check my recent post about "Step 1", I was on part "D". I found 3 distinct P1s, one of which probably could have been broken down into 8 specific BAC issues but that sounded like too much work. Issue 1: LFI/traversal As I mentioned, this was found by searching all of my recon files (batch GAU outputs) for "filename=", then tinkering with any of them that looked susceptible. This was literally a one-liner in a GAU file, that could have been easily overlooked because the stem of the URI path actually ended in .PDF, which turned out to have no impact on the URI param itself. Probably why it was missed in the past. So it looked like /app/filename.pdf?filename=test.pdf; but /app?filename=test.pdf still brought the file back, and the LFI was in the filename param. Issue 2: Account Takeover After self registering on a site, I was able to find a section that lets you "invite a user" to your team, and assign a role like admin. However, the payload didn't check the team integer belonged to me, so I could invite myself via email as an administrator to any team in the system, granting full access. Oops. This was an IDOR in a POST JSON body. You find this stuff by using the software and interacting with it. Issue 3: Privilege Escalation BAC After self registering for a site, I dumped all of the API paths from any JS I could find. I made sure to remove any that said logout or logoff. I do this so my session isn't logged off while testing. I then hit them all in intruder with my authenticated session, and noted those which did not 403 or 302 redirect to the logoff or logon page (indicating no access). I then assessed each request that had a 200, and noted ~8 administrative pages that had read/write access to important functions and PII. In summary, no I do not think bounty has gotten any harder, looks like the same game. That was about a $2500/HR hunting spree assuming no duplicates and what not. AI is a capable tool now for hunting, but it will be a long time if ever before it effects the bug count on the internet at large. That said, I hear actually getting triaged and paid may be a different matter these days 🤣 How did AI help? AI was able to very quickly help me find LFI paths given the architecture/stack to dump important files AFTER discovering the bug. This would have been more difficult in the past. I use it for very specific tasks to speed things along, help with payloads, parse JS, and things of that nature... when needed. Its not the first thing I turn to.

For years, Google API keys (AIza...) had little to no real-world impact. But recently, many of them unexpectedly gained access to Google Gemini. curl "generativelanguage.googleapis.com/v1/models?key=…" This appears to be a widespread misconfiguration that can be hunted in the wild.

@the_IDORminator I wish u tweeted this kind of stuff, I wouldn't be a bank robber🤦‍♂️🤦‍♂️🤦‍♂️

#BugBounty Step 1: "Find the things" So you open a brief, and poo.com is in scope. What is your first move? A] For me, I find every domain/subdomain I can affiliated with poo.com. I dump them all, from numerous sources, and de-duplicate. Create your own process here. B] Now I blast all unique domains for poo.com on common web ports to see which are readily internet facing (80,443,8080,8443,etc.). This is lazy but catches 99% of them. If it responds, regardless of response code, its alive. If you feel like overachieving, scan more ports. C] Now I create a list of unique "responsive domains". I run each of these through to find links and save a unique file for each domain containing links, way back info, indexed search engine URI's, etc. This step generally contains money by itself. D] Use your brain and start exploring the data (links, sites, paths) manually to see what looks interesting or vulnerable, while recording everything in Burp to start collecting JS files and paths. Clicking things really isn't hard, so maybe don't skip this step. Though I appreciate it when everyone does. E] For best ROI (at least on new targets), start with domains with the most data/indexed links as it keeps the fuzzing/guest work to a minimum. For older mature targets, perhaps start with those where the site responded but zero history or search engine data comes back. These may have been mostly untouched, but you will have to figure out what lives there. Sometimes visiting other sites uncovers these paths in JS. ... now the fun begins. OK BYE 😆

@Hunter_6SHADOW9 @yeswehack What are u planning to do with this much money...buy Mars??

Just got a reward for a vulnerability submitted on @yeswehack -- HTML Injection (CWE-79). #YesWeRHackers

@Specterbyt5ds1 @yeswehack Congs bro...any tips

Just got a reward for a vulnerability submitted on @yeswehack -- Information Disclosure (CWE-200). #YesWeRHackers #Indonesia Alhamdulilah.... BINGO

@only01Essential Which platform do u hack on

Another project saved 🙌 A chain halt bug this time. $4,000 for the disclosure. Expected more, but we move

Day 6 / 30 — GITHUB RECON THAT PAYS Devs still leak secrets in public repos. In 2026. Mine them. Tools: → trufflehog — github.com/trufflesecurit… → gitleaks` — github.com/gitleaks/gitle… → GitDorker — github.com/obheda12/GitDo… → github-subdomains — github.com/gwen001/github… → gitGraber — github.com/hisxo/gitGraber #bugbountytips #github #osint #bugbounty #infosec

@zack0x01_ “check it out” my brother in crime🙆‍♂️ we physically cannot access localhost 😭

Claude Code 4.7 is insane. i know literally NOTHING about coding. ZERO. and i just built 3 fully functioning web apps in 30 minutes. http://localhost:3000/ http://localhost:8000/ http://localhost:5000/ check it out.

New version of Grafana-Final-Scanner, with more CVEs and no false positives 🥳🥳 test it:- github.com/Zierax/Grafana… #bugbountytips

🚨 CVE-2026-44578 — Next.js WebSocket SSRF Built a scanner + interactive exploit shell. AWS credentials exfiltrated in 3 steps: [1/3] Cloud auto-detect → AWS confirmed [2/3] IAM role found: profile [3/3] 🎯 AccessKeyId + SecretKey + Token ✅ Pipeline ready: subfinder | httpx | nextssrf ✅ Zero dependencies (stdlib only) ✅ Interactive shell with auto IAM chain Affected: Next.js 13.4.13 → 15.5.15 Fixed: 15.5.16 / 16.2.5 (self-hosted only) 🔗 github.com/ynsmroztas/nex… #BugBounty #InfoSec #RedTeam #AppSec #bugbountytip #bugbountytips #infosec #recon

@h1Disclosed @r00tSid I didn't knw finding an origin IP is rewardable😂😂😂

⚡ Origin IP Exposed waf bypass 👨🏻‍💻 @r00tSid ➟ Yuga Labs 🟨 Low 💰 $250 🔗 hackerone.com/reports/1821085 #bugbounty #bugbountytips #cybersecurity #infosec

#KNOXSS Tip: It's mandatory to encode all "&" as "%26" in URL parameters. Otherwise, #KNOXSS may not find any XSS vulnerabilities. #BugBounty

A friendly reminder on how to NOT accidentally stumble upon exposed financial data in under 2 minutes. 1. Do NOT visit FOFA search engine (en.fofa.info), it's just a search engine, totally harmless, nothing to see here. 2. Absolutely do NOT run this query to find misconfigured S3 buckets leaking invoices: host="s3.amazonaws.com" && body="invoice" && body=".pdf" Because clearly, companies have their cloud security fully under control and there's zero chance you'd find thousands of exposed PDFs with sensitive financial data sitting wide open on the internet. Zero. Chance. Stay curious. Patch your buckets. 🪣🔒 #BugBounty #CloudSecurity #OSINT #AWS #InfoSec #S3 #Misconfiguration

@nav1n0x So u guyz were there in 2003???😳😳🙆‍♂️🙆‍♂️🙆‍♂️🙆‍♂️

Lets go back to 2003 😊 vibes..

Repost This video youtube.com/watch?v=BFJ_5x… was a life-changing moment for me. Thanks to @GodfatherOrwa and @sakshamintech for creating this podcast, which completely changed my point of view. My First VALID BUG as P1. 🤑🤑🤑🤑

OSINT + recon hub: shadohdorks.vercel.app All your Google dorks, username search, breaches & recon tools, in one place 🔎 Great for quick discovery, but real power comes when you customize & go manual. #BugBounty #OSINT #Recon #Infosec

@Shabosec @sachin_pandey98 Woowww..oh my god!!!! Ur a genius 🙆‍♂️🙆‍♂️🙆‍♂️how do u plz find those self-hosted programs...I wanna transition to that