Raviii

Most people stop at SQL injection, IDORs, and XSS—but some of the most impactful vulnerabilities are hiding far beyond these basics. If you’re curious to explore underrated, real-world vulnerabilities that rarely get enough attention, I’ve created a dedicated playlist that breaks them down with clear explanations and full practical demonstrations. Each video focuses on how the issue actually works, why it matters, and how to spot it in real targets. If you want to level up your security testing mindset and move beyond common findings, this playlist is for you: youtube.com/watch?v=GZ5yaQ… Let me know what you think—or which vulnerability you’d like to see covered next.

🚨 CVE-2025-6389: WordPress Sneeit Framework plugin vulnerability currently under active exploitation PoC: github.com/Ashwesker/Ashw… ▪️Vulnerability Type: Remote Code Execution (RCE) ▪️CVSS: 9.8 ▪️Published: 11/24/2025 Impact: ▪️Full site compromise ▪️Create admin accounts ▪️Install backdoors/malicious files ▪️Redirect visitors or inject malware Credit: @Nxploited" target="_blank" rel="nofollow noopener">youtube.com/@Nxploited

@d3doxp Really very impressive 👏🔥

In this write-up, I detail how I escalated info/P4 into P1 and avoided brute-force 36^11 for UUIDs by exploiting typical human behavior. @d3do/one-post-away-from-being-exposed-586c0d415f98" target="_blank" rel="nofollow noopener">medium.com/@d3do/one-post…

When you find a live host, you shouldn't have to manually check for specific paths like /admin, /login, etc. How can you automate and speed this up? Use httpx to check an entire list of hosts for the presence and status code of specific paths in one single, fast pass.👇 httpx -l live_hosts.txt -path /admin,/login,/api/v1 -sc -o specific_paths_status.txt #httpx #recon #enum

New finding with @0x_rood !🔥❤️ Tip: Always fuzz with specific extensions like .db, .bak, .php.bak, .zip, .z7 etc. which usually leads to sensitive files #BugBounty #bugbountytips

Sharing my Burp Extension that earned me $200k in 2025 while API testing heavy JS-rich targets. github.com/jenish-sojitra… The tool helps find endpoints, files, internal emails, and some secrets from minified JS. Its goal is to achieve maximum efficiency with reduced noise in results. Contributions and feedbacks are welcome.

If you're still using gau or waybackurls, give waymore a try because it will honestly find you waymore endpoints! It can also download archived responses &you can run xnLinkFinder over the response directory to find even more endpoints, potential params, wordlist + oos domains 🤘

I do web bug bounty work from time to time, and I always start without tools. I begin with just the browser. I sign up, verify my email, log in if needed, and simply use the application as a normal user. How long I stay in this phase depends on the size and complexity of the system. If it is too large, I break it into smaller services and explore each one separately. Once I understand how the product works, I try to understand the problem it solves and who uses it. This might seem unrelated, but it helps a lot when writing reports, especially when explaining impact and risk from the perspective of the business. After I am comfortable with the application, I begin a simple threat-modeling exercise. I ask myself what can go wrong, focusing on logical issues and overlooked edge cases. Then I connect the dots between features to see how they interact. This step often leads to the more interesting and creative findings. When I finish mapping the assets, understanding authN/authZ , and listing all potential threats, I start testing to confirm or reject each one. And I never assume that something is already secure. Developers get tired, deadlines happen, and even security engineers sometimes miss things. By following this approach, you do more than find vulnerabilities. You learn the business domain, understand the architecture, and develop the skill to consistently spot security issues. Focus on learning, and always start with a clear timeline.

100 Exploits every bounty hunter should know! thexssrat.podia.com/christmas2024?… BAC: Function-Level Authorization Bypass BAC: Object-Level Authorization (IDOR) BAC: Horizontal Privilege Escalation BAC: Vertical Privilege Escalation BAC: Missing Authorization on API Endpoint BAC: Forced Browsing to Restricted Pages BAC: Multi-Tenant Data Isolation Failure BAC: Role Manipulation via Parameter Tampering BAC: Authorization Based on Client-Side Logic BAC: Insecure Direct Object Reference via UUID Guessing AUTH: Account Enumeration via Error Messages AUTH: Brute-Force Login Attack AUTH: Credential Stuffing AUTH: Weak Password Policy AUTH: Missing Rate Limiting on Login AUTH: Password Reset Token Leakage AUTH: Password Reset Token Reuse AUTH: Authentication Bypass via Logic Flaw AUTH: Missing Multi-Factor Authentication AUTH: OAuth Login Misbinding SESSION: Session Fixation SESSION: Session Hijacking SESSION: Missing Session Expiration SESSION: Predictable Session IDs SESSION: Concurrent Session Abuse SESSION: Logout Function Not Invalidating Session SESSION: Session Token in URL SESSION: Cross-Device Session Reuse SESSION: Missing Session Rotation After Login SESSION: Privilege Change Without Session Refresh COOKIE: Missing HttpOnly Flag COOKIE: Missing Secure Flag COOKIE: Missing SameSite Attribute COOKIE: Client-Side Cookie Trust COOKIE: Cookie Scope Too Broad INJECTION: SQL Injection INJECTION: Blind SQL Injection INJECTION: NoSQL Injection INJECTION: Command Injection INJECTION: OS Command Injection via File Upload INJECTION: LDAP Injection INJECTION: XPath Injection INJECTION: Expression Language Injection INJECTION: Server-Side Template Injection (SSTI) INJECTION: CRLF Injection XSS: Reflected Cross-Site Scripting XSS: Stored Cross-Site Scripting XSS: DOM-Based Cross-Site Scripting XSS: Blind Cross-Site Scripting XSS: HTML Injection Leading to XSS CSRF: Missing CSRF Protection CSRF: CSRF Token Reuse CSRF: CSRF Token Not Bound to Session CSRF: GET Request Performing State Change CSRF: JSON CSRF via CORS Misconfig CORS: Wildcard Origin with Credentials CORS: Reflected Origin Trust CORS: Null Origin Allowed CORS: Overly Permissive Methods CORS: Sensitive Headers Exposed FILE: Unrestricted File Upload FILE: MIME Type Validation Bypass FILE: Path Traversal in File Upload FILE: File Overwrite via Upload FILE: Stored XSS via File Upload PATH: Directory Traversal PATH: Arbitrary File Read PATH: Arbitrary File Write PATH: Local File Inclusion (LFI) PATH: Remote File Inclusion (RFI) DESERIALIZATION: Insecure Deserialization DESERIALIZATION: PHP Object Injection DESERIALIZATION: Java Deserialization RCE DESERIALIZATION: YAML Deserialization Abuse DESERIALIZATION: JSON Deserialization Logic Flaw LOGIC: Business Logic Abuse LOGIC: Price Manipulation LOGIC: Coupon Reuse Abuse LOGIC: Race Condition (TOCTOU) LOGIC: Negative Value Injection INFO: Sensitive Data Exposure in API Response INFO: Stack Trace Disclosure INFO: Debug Mode Enabled in Production INFO: Source Code Disclosure INFO: .git Directory Exposure SSRF: Server-Side Request Forgery SSRF: Blind SSRF via PDF/Image Fetch SSRF: Cloud Metadata Access SSRF: Internal Port Scanning SSRF: Protocol Smuggling (gopher/file) RCE: Remote Code Execution via Injection Chain RCE: Template Injection to Code Execution RCE: Unsafe Eval Usage RCE: Command Injection via Environment Variables RCE: Dependency Confusion Attack CONFIG: Default Credentials CONFIG: Hardcoded Secrets in Frontend CONFIG: Exposed Admin Panel CONFIG: Insecure Feature Flags CONFIG: Insecure API Versioning #BugBounty #WebSecurity #AppSec #ApplicationSecurity #InfoSec #CyberSecurity #EthicalHacking #Hacking #Pentesting #Pentest #RedTeam #BlueTeam #BrokenAccessControl #BAC #IDOR #AuthBypass #PrivilegeEscalation #API #APISecurity #OWASP #OWASPTop10 #OWASPAPI #XSS #CSRF #SQLi #NoSQLi #SSTI #RCE #SSRF #LFI #RFI #PathTraversal

These are Google dorks I always try first: - site:.google .com intext:target - site:zendesk .com target - site:.portal.swaggerhub .com target - site:hubspotusercontent-na1 .net target You never know what you'll find.

@securityshell I made it working on Firefox. Check here: github.com/Junner1st/RSC_…

@securityshell github.com/emredavut/CVE-…

DAY 35/365 Another day learning from other's experiences; these writeups hit differently. @zack0x01_/business-logic-vulnerability-lead-to-pii-theft-account-take-over-b5b68a679c19" target="_blank" rel="nofollow noopener">medium.com/@zack0x01_/bus… matitanium.medium.com/account-takeov… @youssefbughunter/how-i-found-a-critical-sql-injection-in-mercedes-benz-my-first-write-up-cb9c4c1fb7f3" target="_blank" rel="nofollow noopener">medium.com/@youssefbughun… @bakkar0x/how-i-escalated-simple-html-injection-to-ssrf-via-pdf-rendering-682ea94b3194" target="_blank" rel="nofollow noopener">medium.com/@bakkar0x/how-… @cybervolt/how-i-found-a-3-000-bug-using-just-recon-18dd88e827ae" target="_blank" rel="nofollow noopener">medium.com/@cybervolt/how… @asharm.khan7/1500-bounty-how-i-bypassed-403-forbidden-and-gained-access-to-the-intranet-portal-3464f29f4ddb" target="_blank" rel="nofollow noopener">medium.com/@asharm.khan7/… medium.com/legionhunters/… infosecwriteups.com/how-i-found-a-… mchklt.medium.com/how-i-got-rce-…

instead use this way~ cat domains.txt | httpx-toolkit -silent -sc -td | grep -Ei "Next\.js|React" cat domains.txt | httpx-toolkit -silent -sc -td | grep -Ei "Next\.js|React" | awk '{print $1}' | nuclei -t .local/nuclei-templates/http/cves/2025/CVE-2025-55182.yaml -silent after this use manual payloads+bypass methods or simply use extension..

I found an IDOR on a program. They paid me $5,000. Twice. Here is the story: 🧵

In the last 5 years, I have tested 50+ bug bounty tools... Each has its own superpower. Here is the MEGA list of bug bounty tools you need to bookmark: 🧵

Just published the very first writeup on my biggest P1 bounty 1️⃣ Check it out: @bugbounty0901/oauth-authentication-bypass-leading-to-pii-disclosure-5d243b62d532" target="_blank" rel="nofollow noopener">medium.com/@bugbounty0901… #bugbounty #oauth2

Let's talk manual testing for IDORs. I have pasted a payload from a redacted T-Mobile API below. It does not have a bug (that I am aware of) on it, I want to use this for educational purposes because its a great teaching opportunity. A: This is a URI path parameter representing an organization ID. You need to tinker with this. B: The request does not ask for URI parameters, but what if you give it some anyway and something changes? C: Changing things like usernames or ID values in cookies can result in behavioral changes. D: Play with the Authorization Bearer token. Does it check signature? Can you change data in it and it still works? If so... very bad. Is it even using the token, or does it use a cookie instead? E: Its saying this is "upgrade-app". What does that mean? What are other values? What does changing it do? F: This is the organization ID. Its the same as in the URI path. If you change both at the same time, does it work? If you change one but not the other, does it work? Are they checked against each other? G: What does this header mean? It has a JWT format in it? Tinker. H: The API type is declared. Can it be changed? If so, can we alter the backend destination? Hrmm. I: Why is my email address in a header? Can I change it to someone else's? Does it check it? J: IDP type, interesting. What are the other values it accepts? K: You get the idea by now, the app name needs to be tinkered with. What does it do? L: Oh look, my user ID. I wonder if its validated against the organization in the URI or header, or payload body? M: My user ID again. What happens if I change M but not L, or L but not M, or change both, or leave both, or one blank, or null? N: Account number. Is this validated against org, user, neither, both? O: OrgID again, also in F and A. 3 places. Are all 3 checked? Is only 1 checked? Are any checked? Why is life so hard? If you take nothing else away from this, understand the complexity in possible combinations/permutations of potential testing for a SINGLE POST on a SINGLE API end point. This is the way. Oh, yea, and you have to check every single one for SQLi, SSRF, and code execution. Duh. 🤣 #hacking #bugbounty #infosec

🐞Bug Bounty Tips Account Takeover using Password Reset #BugBounty #BugBountyTips #viehgroup #infosec