Roronoa

Reached level 4 🫣.

That's my chain — a full chain w/ logic bugs only! No memory corruption, no AI, and of course no collisions at all 😉

@zseano Yoo

i'm taking a pause from hacking to resume building bugbountyhunter.com. i regret closing it down and I shouldn't of done it. everything will be back online EXACTLY as it was very soon and i've got some big plans for the future. and yes, that includes zseano methodology v2 ;)

There is a new security tool every day that can do part of a bug hunter’s job. If you learn how to use it, that’s an opportunity. If you ignore it, that’s a threat to your career.

The best career move I ever made was abandoning traditional employment and doing my own thing! The "safe" path is not that safe in the long run!

AI is changing bug bounty, but without fundamentals even the best prompts won’t save you. Think first, prompt second. bour.ch/ai-bug-bounty/

No way 😂 A Redditor installed malware without realising it, it kept changing his browser's search engine to Yahoo. Instead of removing the malware, he vibecoded a browser extension that also acts like malware to redirect Yahoo back to Google and published it in Google Web Store.

I'm thrilled to announce "Can AI Do Novel Security Research? Meet the HTTP Terminator" will premiere at @BlackHatEvents #BHUSA! Check out the abstract:

A couple of months ago, I told a friend about bug bounty and encouraged him to give it a try. I kept checking in on him here and there, sharing whatever I knew even though I was still a beginner myself. A few days ago, he landed his first bounty Seeing your friends win hits different. It’s a whole other kind of happiness.

$1,000,000 in bug bounties came down to one decision: pick a program and stick with it 👨‍💻😮‍💨 HX007, a hacker in the Bugcrowd community, made over $750K on a single program. Not by knowing more than everyone else. By knowing one target better than anyone else. 🔖 The longer you work a program, the more you understand the dev team behind it. Their patterns, their blind spots, the bugs they keep missing. It stops feeling like hunting and starts feeling like collaboration. When nothing's clicking, HX007 switches to a VDP, racks up some P1s, and comes back with his confidence rebuilt. 💡 More advice from HX007 and why he hunts on Bugcrowd: bugcrowd.com/blog/how-i-hac…

I maintain that adding a trailing slash to random pages and APIs remains the stupidest albeit perhaps most effective and prevalent authorization and/or WAF bypass there is. Go slay #bugbounty, the world depends on your proper insertion of the slash. When you get your first bounty doing this, go on a vacation and when your wife says "No no, it's too expensive." You say: "Its OK, the slash is paying for it." Because in what other field can you add a backslash somewhere and make enough money to take the family on a vacation 🤣 /place/thing/page.aspx --> /place/thing/page.aspx/ some/v1/api/users --> some/v1/api/users/ Other common wins are: /, //, %2f, %3f, #, and so forth. Just tack stuff lack that on the end. Maybe combine it with method changes. OK BYE

🚨My #bugbounty course with @arcanuminfosec is 50% off for the entire month of April! This course teaches you how to go from "Zero to Hero" #hacking the web. Based on feedback, great for beginners or experienced hackers... may the 12345 be with you!😉 tinyurl.com/idorminator

Quick tip for bug bounty hunters: Use github.com/Rezy-Dev/Endpo… to quickly extract interesting endpoints with a single click. It’s especially useful for finding API endpoints in large JavaScript files. #BugBounty #BugBountyTips

I published one of the techniques that I've been using against OAuth providers, honetly, it's led me to discover many flaws, and recently I used it to find a 1-click ATO on one of the most widely visited websites,I hope you find it useful :-) blog.voorivex.team/story-of-abusi…

@hackinghub_io sorry /actuato%72/heapdum%70

I have been doing bug bounty since 2011 and ran a program for a multinational bank. Put everything I've learned into bugbounty.info. Target selection, recon pipelines, chain patterns, report templates, the business side. Free, no paywall, no course upsell.

Nothing is more energy-consuming than starting on a new bug bounty program. AI is fixing that. Simply ask Claude in Chrome to browse the entire application and provide you with a review of its attack surface.

Meet BugSkills. I built a tool to convert the knowledge and methodology used in your HackerOne reports into AI skills you can use to automate vulnerability discovery. Thank you @rez0__ for the idea. github.com/BehiSecc/bugSk…

Hey guys, I just launched argosdns.io - if you are into IT security, bug bounty hunting, red teaming, ... this is interesting for you! argosdns.io

This was the writeup I promised, if you missed it:

Ek din bug reh jaygi or me hunt ho jaunga 🤷‍♂️