S4NDY🇮🇳

Finds origin servers of websites behind reverse proxies github.com/mrh0wl/Cloudma…

rep+ in action 🧙‍♂️ Found a leaked Supabase anon JWT, checked RLS, and discovered the token had read access to all tables, including full database PII. This also enabled account takeover, not just data exposure. Full write-up and tooling 👇 bour.ch/how-rep-helped… Discovered while testing Kingfisher (@micksmix0 ), target discovered via trustmrr by @marclou

⚠️NPM MALWARE ALERT: More than 300 npm packages contain a fake Bun runtime. These packages imported a preinstall: node setup_bun.js, and an obfuscated bun_environment.js. It runs a script that: - Downloads and executes TruffleHog, a legitimate secret scanner - Searches host systems for tokens and cloud credentials - Validates discovered developer and CI credentials - Creates unauthorized GitHub Actions workflows within repositories - Exfiltrates sensitive data to a hardcoded webhook endpoint - It looks for environment variables such as GITHUB_TOKEN, NPM_TOKEN, AWS_ACCESS_KEY_ID, and AWS_SECRET_ACCESS_KEY. Since it's a worm then it replicates itself. How to know if you've been infected? - Check if you have new GitHub repos on your profile with the description: "Sha1-Hulud: The Second Coming." - Check your npm packages if they contain `bun_environment.js.`. Let's spread this!

@arsen_bt Security

You can become successful auditor If you are ready to work hard. That's why I’m sharing my Web3 Security Book: • Where to focus. • How to learn right way. • How to earn and progress. Follow & comment “Security” and I’ll DM it to you for free!

ffuf interactive mode is really awesome and a timesaver. If you don't know about this, you are probably wasting lot of time just by pressing "ctrl+c" everytime. So I wrote a detailed article on the same. Hope you enjoy @ugs20b126_cic.rajesh/ffuf-interactive-mode-fuzzing-made-easy-8d29fd9b5ab3" target="_blank" rel="nofollow noopener">medium.com/@ugs20b126_cic… #bugbounty #ffuf #fuzzing

If you find PHP 8.1.0-dev then try RCE & SQLi User-Agentt: zerodiumsleep(5); User-Agentt: zerodiumsystem('id'); #bugbounty #bugbountytips #rce #sqli

Let's talk manual testing for IDORs. I have pasted a payload from a redacted T-Mobile API below. It does not have a bug (that I am aware of) on it, I want to use this for educational purposes because its a great teaching opportunity. A: This is a URI path parameter representing an organization ID. You need to tinker with this. B: The request does not ask for URI parameters, but what if you give it some anyway and something changes? C: Changing things like usernames or ID values in cookies can result in behavioral changes. D: Play with the Authorization Bearer token. Does it check signature? Can you change data in it and it still works? If so... very bad. Is it even using the token, or does it use a cookie instead? E: Its saying this is "upgrade-app". What does that mean? What are other values? What does changing it do? F: This is the organization ID. Its the same as in the URI path. If you change both at the same time, does it work? If you change one but not the other, does it work? Are they checked against each other? G: What does this header mean? It has a JWT format in it? Tinker. H: The API type is declared. Can it be changed? If so, can we alter the backend destination? Hrmm. I: Why is my email address in a header? Can I change it to someone else's? Does it check it? J: IDP type, interesting. What are the other values it accepts? K: You get the idea by now, the app name needs to be tinkered with. What does it do? L: Oh look, my user ID. I wonder if its validated against the organization in the URI or header, or payload body? M: My user ID again. What happens if I change M but not L, or L but not M, or change both, or leave both, or one blank, or null? N: Account number. Is this validated against org, user, neither, both? O: OrgID again, also in F and A. 3 places. Are all 3 checked? Is only 1 checked? Are any checked? Why is life so hard? If you take nothing else away from this, understand the complexity in possible combinations/permutations of potential testing for a SINGLE POST on a SINGLE API end point. This is the way. Oh, yea, and you have to check every single one for SQLi, SSRF, and code execution. Duh. 🤣 #hacking #bugbounty #infosec

don't leave babe, I'll find next critical soon

bugTricks# Password Reset Functionality Testing # email=victim@gmail.com 1- Try email=attacker@gmail.com 2- Try email=victim@gmail.com,attacker@gmail.com 3- Try email=victim@gmail.com&email=attacker@gmail.com 3- Try email=victim@gmail.com,cc: attacker@gmail.com 4- Try email=victim@gmail.com\ncc: attacker@gmail.com 5- Try {"email": "victim@gmail.com", "email":"attacker@gmail.com"} 6- Try {"email": ["victim@gmail.com", "attacker@gmail.com"]} 7- Try email=“victim@mail.tld$%0a%0d$cc: attacker@mail.tld” --> Hussein Daher ThreatCon Fuzzing Technique 7- Try user[email][]=victim@gmail.com&user[email][]=attacker@gmail.com --> CVE-2023-7028 I've shared my own experience and approach, as well as the approach of elite hunters. I hope you find it helpful. thanks @nahamsec @HusseiN98D 🙏 #BugBounty #EthicalHacking #CyberSecurity

@heyakash_ai Story

The AI possibilities are ENDLESS. This channel started only 3 weeks ago, creating its own penguin stories. Views are up to 10 million. Basic editing Straightforward scripts Simple thumbnails Like & Repost, reply" Story" I'll Dm you the guide Must be following for dm

@Aiden_Tech_Ai SEND

You can make $25,555 per month, if you have: 1. Internet 2. Laptop 3. 2 hrs a day I'm sharing my EXACT blueprint. It's absolutely FREE: Like & reply “SEND” and I’ll DM you my free.

We just dove into our shelf of archived bug bounty write-ups from the most notable hackers! 🤠 In this issue, we selected 5 compelling articles (that are still relevant today) to share with you, from which you can learn something new! 😎 🧵 👇

🐀 Top 100 Missed Bugs by Bounty Hunters (real report inspo) 🌐 Web Bugs Open Redirect in OAuth Stored XSS in Markdown DOM XSS in legacy Clickjacking state changes CSRF on JSON endpoints CRLF injection Host header injection → cache poison Bad CORS (null origin/wildcard+creds) Exposed .git dirs Template injection (Jinja2/Twig) 🔌 API Bugs 11. BOLA/IDOR 12. Mass assignment 13. Verbose errors (stack traces) 14. JWT alg=none bypass 15. No rate limiting 16. Replay attacks 17. GraphQL introspection on 18. GraphQL batch auth bypass 19. Forgotten SOAP APIs 20. Shadow APIs 🔑 Auth/Session 21. Reset poisoning (Host header) 22. Tokens never expiring 23. Weak magic links 24. Brute-force no CAPTCHA 25. JWT sigs not validated 26. JWT leaked in logs 27. SSO misconfigs (SAML/OAuth) 28. Login CSRF 29. MFA bypass backup codes 30. Remember-me cookie hijack 🧩 Logic Flaws 31. Coupon abuse 32. Race checkout double spend 33. Role escalation 34. Invite/referral abuse 35. Refund abuse 36. Plan ID tampering 37. Premium features via API 38. Loyalty points abuse 39. Reusing expired links 40. File overwrite via ID guess 📱 Mobile 41. Hardcoded keys in APK 42. Weak SSL pinning 43. Staging endpoints in app 44. Unprotected deep links 45. Exported activities (Android) 46. Sensitive data in SQLite 47. iOS Keychain leaks 48. Feature flags exposed 49. Open Firebase DBs 50. Unsigned updates ☁️ Infra/Cloud 51. Public S3 buckets 52. Exposed GCP storage 53. Backups in /old/ 54. Jenkins open 55. K8s dashboard no auth 56. Exposed .env 57. Cloud metadata SSRF 58. Forgotten staging subs 59. Weak TLS versions 60. Anonymous FTP 💥 SSRF/RCE 61. Blind SSRF in PDFs 62. SSRF via image parsing 63. SSRF in webhooks 64. XXE file read 65. Template injection → RCE 66. Old Log4j/struts 67. Command injection in scripts 68. Upload bypass double ext 69. Polyglot files 70. Insecure deserialization 🌀 Misc 71. DNS rebinding 72. Cache poison via params 73. Reset token race 74. Reflected file download 75. Clickjacking OAuth approve 76. CSP bypass via JSONP 77. Directory traversal 78. Prototype pollution 79. API keys in JS 80. Subdomain takeover 🎯 Rare/High Value 81. MX misconfig → BEC 82. SSRF → Redis/Elastic RCE 83. CI/CD leaks (GitHub Actions) 84. Swagger UI no auth 85. Weak WebSocket auth 86. Hidden GraphQL mutations 87. Beta domains exposed 88. OAuth missing state 89. CSRF in admin 90. Passwordless flow abuse 🍒 Low-Hanging Fruit 91. Info in robots.txt 92. .bak / .old backups 93. Stack traces in 500s 94. Swagger docs exposed 95. Default creds on test boxes 96. Public phpinfo() 97. Old WP plugin CVEs 98. Source maps online 99. Email enum in signup/reset 100. Directory listing ⚡️ Boring bugs = steady payouts. Sexy CVEs get clout, but these get $$$.

Did you know? This website allows you to identify the technologies behind web applications based on 404 errors 👇🔗 #BugBounty #enumeration #recon #recontips #pentest

@ThisIsDK999 ^This presentation is from the OWASP Global AppSec EU Conference 2015(!) in Amsterdam. I was there BTW 😀 . This talk was recorded and you can watch it 📺 here:👇 youtu.be/WQsDpYnJT6A?si…

@BuildHackSecure @hackinghub_io

Didn't get a free voucher 😭 for the new Regex For Hackers course? You've got two choices: a) I'm going to give away another 5 vouchers but you need to follow me, @hackinghub_io and like and share and comment on this post with your best GIF! Winners announced in 48 hours. b) Beat the queue and start learning straight away with a 50% off voucher code: REGEXADAM Redeem here: hhub.io/REGEXADAM

Bug Hunters 🔥 Ever stumbled upon this weird message? "WebSockets request was expected" If you did, congratz! You just found a NodeJS server in debug mode, ready to quickly move on to RCE via simple DevTools 💥💥💥 Search for this message in Censys/FOFA and your automation 🤑

This week, Disclosed. #BugBounty Spotlight on CodeRabbit Exploit, NahamSec’s DEF CON vlog, Swiss Post’s €230K challenge, new tools for hunters, and more. Full issue → getdisclosed.com Highlights below 👇 @KudelskiSec details how vulnerabilities in CodeRabbit’s AI code review tool led to RCE on production servers and unauthorized access to 1M repositories. @hakluke announces a remote job opening for Capture The Flag (CTF) challenge creators. @albinowax shares lessons from nine months of bug bounty research in a 40-minute talk. @NahamSec drops his Def Con 33 recap vlog—covering Bug Bounty Village, panels, parties, and behind-the-scenes moments. @yeswehack launches Swiss Post’s Public Intrusion Test with rewards up to €230,000, ending August 24. @Hack_All_Things announces a new Zoom Hub bug bounty campaign with 1.25× bounty multipliers starting Monday. @Hacker0x01 teams up with @HackTheBox_eu to host an AI Red Team CTF challenge this September. @dropn0w announces the first HackerOne Belgium event for the bug bounty community. @_Zer0Sec_ earns a five-figure payout by chaining IIS tilde enumeration and legacy PDF artifacts into a PII exposure. @yppip shows how an unauthenticated JSON endpoint in an RPM repo led to account takeover. @hesar101 chains SSO misconfiguration, self-XSS, and cache poisoning into a zero-click account takeover with a five-digit bounty. @ElS1carius publishes a blog on exploiting Microsoft SSO flaws to achieve full account takeover. @almond_eu applies AFL++ to fuzz Gnome libsoup, uncovering an out-of-bounds write. @bugbountymarco explains finding XSS via SSRF on outdated Jira instances, replicating across multiple high-value targets. @medusa_0xf breaks down XXE Injection with real bug bounty report examples. @intruderio releases Autoswagger, an open-source scanner for broken authorization in OpenAPI endpoints. @_Freakyclown_ introduces JsonViewer for easier JSON data navigation. @yeswehack publishes guides on SQLi exploitation and path traversal techniques for bug bounty hunters. @sl0th0x87 investigates SSTI in Freemarker templates with file-read examples. @Bugcrowd posts a $250K Blind XSS guide on multi-system payload propagation. @dhakal_ananda shares slides on hacking Stripe integrations. Full links, writeups & more → getdisclosed.com The bug bounty world, curated.

New Blog Up on "How I Found a $3000 IDOR Vulnerability in a Delivery App" Read 👇 medusa0xf.medium.com/how-i-found-a-…

I just published Dumping the content of a table, without Sql injection medium.com/p/dumping-the-…