Hike

I’m Hike. Master’s student in Cybersecurity, obsessed with webapp pentesting and bug bounties.I’ve been a course-hunter: starting, stopping, repeating. This time I’m stripping back to fundamentals and focusing on steady progress. I’ll post wins, failures, tools, and notes.

@NahamSec @4osp3l @hackinghub_io 🔥

Super excited to release our latest Broken Access Control (BAC) Masterclass on @hackinghub_io with 2 hours of content and almost 20 labs. I'm giving away 3 free seats to anyone who comments, reposts, and replies to this post. Drop a 🔥 below! More info 👉🏼 hhub.io/BAC2026

@NahamSec @4osp3l @hackinghub_io Lfg 🔥🔥

@4osp3l Nice i usually check if any cookies are set before any 2FA

Triaged 🔥 I didn’t even expect to find this vulnerability today because I had already tested this subdomain a few months ago and never came across the OTP bypass at the time. Earlier today, I decided to revisit some of my old reports and stumbled on the subdomain again, so I thought of giving it another shot. That was when I suddenly found a valid OTP bypass. Here’s how it worked, I created an account as a victim user and logged in. After login, I was redirected to a page showing a message similar to “Verify OTP to Continue.”, I tried directly accessing user profile pages and other authenticated endpoints, but the application blocked access from the UI because the OTP verification was still pending. I then turned on Burp Suite intercept and captured the GET request made from the OTP verification page. The request already contained the authenticated session cookie, and by replaying that request manually, I was able to access functionalities that should have required successful OTP verification. Using the same authenticated session, I was able to perform actions such as modifying account data ( I.e EMAIL, which could potentially lead to ATO ), which was not possible directly through the application interface before completing the OTP step.

@4osp3l Yeah it would be good if you share some info on the technique i found a csrf but it's blocked by the X-Requested-With header any known bypass for this ??

You must be curious

@4osp3l Another month for fix and one more for bounty assignment and 1+ more for bounty payment My report from Jan just got cleared up Anyway good work 😁

After a month 🔥

@termireum Okay I will try thanks 😇

@hackrkid RSC Security Analyzer, you can find it on GitHub.

CVE-2025-55182 React2Shell #bugbounty

@the_IDORminator Not in a financial situation to buy one

🚨 As of tomorrow I am permanently reducing my course cost by 50% to $100 so more people have access to it and can get those bounties while they are still hot. And yes, they are still hot. The internet is still full of stupid problems waiting to be found for those looking, at least for now... t.co/HsobzB2lOi I suspect we have about 2 years of decent #bugbounty hunting left before most companies have access to and properly leverage the tools like Mythos that effectively replace "most" hackers. Using the EXACT methods in this course, I found 20+ critical bugs on a target in a matter of hours the other day. Nothing fancy. The internet is just too dang big to fix and patch in a small amount of time, even if AI is finding the bugs. Internal legacy human processes with 500 steps are still bottle-necking remediation. What the bug bounty world becomes next is anyone's guess. My suspicions, hackers will be paid flat rates for hacking and/or patching targets any way they can (be it AI, manually, or both). So, here's to the next evolution of hacking, which is hopefully round-table LHE's where we all work together on targets to harden them as best as possible, instead of working against each other to try to "be the best hacker". Re-post for a chance to win 1 of 5 course coupons for a give away on May 14th. I'll have Grok pick the winners.

@4osp3l They took me 3 months from initial report to bounty confirmation alone now another month still waiting for payment

@BugBountyDEFCON @0day_ninja @AbhiX10010 @hunt_n27493

IT'S GIVEAWAY SEASON! We will pick 6 winners to win one of the following: 1x Annual VIP Hack The Box Licence 5x Pentesterlab 3 Month Licences To enter: 1️⃣ Follow us @BugBountyDefcon 2️⃣ Like this post ❤️ 3️⃣ Tag 3 hacker friends in the comments 4️⃣ Retweet this post 🔁 Giveaway open until Thursday May 14th! GOOD LUCK!

@syaedowais Yeah I hope I can land a good job

@hackrkid Thanks man, all the best

Joined a company as a pentester 🥳

@hamedNiazi00 I got two of my bounties from a self managed bugbounty programs If you ask what help me found those just test every functionality and try to see what it does

@hackrkid Nice that’s a solid start. What platforms did you focus on and what skills helped you find your first bugs?

I have something planned for the next month it will be the one crucial month that's gonna decide my future

@hamedNiazi00 I didn't earn per month I totally got $600 so far from bug bounty in the past 4 months

@hackrkid How much do you earn per month from bug bounty since you started?

@hunt_n27493 Congrats man

Yay! i got bounty again 🤑 will hit more stuffs this month

Is it just me or AI hype is slowing down 🙃