hesar

Hey dear hackers! 🐞 New write-up dropped! I believe write-ups should help our community grow, just as we’ve learned from others’ work. Hope you learn something from this! #BugBounty #CyberSec hesar101.github.io/posts/How-I-fo…

The voting has concluded, and we're thrilled to announce the top ten web hacking techniques of 2025! Massive thanks to everyone in the community for sharing their hard-earned discoveries, plus the panel and everyone who nominated or voted! portswigger.net/research/top-1…

Footage published by Iran International which appears to show multiple bodies laying on the ground outside Alghadir Hospital in Eastern Tehran, following massive anti-government protests in the capital overnight on Thursday.

As a security professional, I usually don’t tweet about daily news. But this time, it’s about people’s lives. The Islamic Republic has shut down the internet and phone services and is massacring people :))

Really disappointed to see @Hacker0x01 do this. I also had a similar interaction with h1 about a month ago where they questioned my nationality and place of residence after 10+ on the platform.

@samm0uda @YShahinzadeh @Hacker0x01 @Bugcrowd @intigriti @immunefi @HackenProof @StandoffBB @jobertabma The least that can be done is to provide a proper and clear response. This behavior is very discouraging.

Due to the repeated screw-ups and zero transparency around bans by @Hacker0x01, I’ve chosen to leave with dignity. My account is now fully deactivated and to be removed. If you need my services, I’m still available at @Bugcrowd @intigriti @immunefi @HackenProof @StandoffBB

@samm0uda @Hacker0x01 @Hacker0x01 @jobertabma Yashar is one of the best hunters I know. What you did without transparency is very disappointing and can be discouraging, especially for those who look up to Yashar and other top-ranked hunters on H1 as role models. Please review this matter.

@Hacker0x01 is now banning people without explanation or providing how the terms and conditions were violated. While other platforms are advancing, H1 revolutionary new vision is to track hackers on social media, make assumptions and ban them without a real proof.

I'm flying out to #romhack2025 tomorrow, for the final edition of HTTP/1.1 Must Die! Feel free to say hi if you'd like to chat.

@NedWilliamson I need help to understand this one!

I didn't know how to explain it at the time but we have words for my bug report now: I used the SSDP RFC -> LLM-generated EBNF grammar -> vibe-coded Rust compiler for EBNF to Protobuf -> vibe-coded C++ frontend -> vibe-coded root cause -> vibe-coded report issues.chromium.org/issues/40070891

@deadvolvo Yo congrats bro! 😍 Drop some pics when you set it up 🫠

Got my lab hardware... now to setup a dedicated space for it and being setting everything up. 🔥

@deadvolvo cybersect.substack.com/p/that-secret-…

cbsnews.com/news/u-s-secre… At first I thought this may be some kind of shady VoIP operation, it was taking place across multiple abandoned apartments, which makes powering ~300 SIM servers with thousands of SIMS *VERY*suspect.

@albinowax @sw33tLie Tnx for sharing :)) Maybe we could call it self-poisoning :))

HTTP Request Smuggler v3.0.1 is now live! This fixes a false positive in the CL.0 scan caused by pipelining - thanks to @sw33tLie for the report. Note that the new parser discrepancy scan still has superior accuracy. For more info on pipelining check out portswigger.net/research/how-t…

@deadvolvo @Akamai Congrats man ✨

Today I join @Akamai as a Senior Security Researcher and I am very excited to keep pushing the boundaries of both offensive and defense research to help make the internet a little harder for the bad guys to break. 🔥🥲😜

@safasafari3 :)))

@safasafari3 یه سینگل پکتمون نشه ؟ جالب تر اینکه خودش صفر میشه ، اسکریپت نوشتن براش ، از روشای کنترل ریس کاندیشنه

اینا رو ول کنید باید از روبیکا و شاد یاد بگیرین هر ۵ ثانیه درخواست بزنه به سرور که پیام جدیدی اومده یا نه =)))

@jusxing Good work man ;))

Last month, I found a 0-click account takeover with a very simple match-and-replace trick Sometimes applications have different API endpoints for different functions. For authentication, developers often use session cookies or exchange tokens. In some cases, if the main session is deleted, the application falls back to using another cookie or a unique ID in the headers for authentication By inspecting the JavaScript and requests, I noticed this behavior. If the main session wasn’t available, the app would accept the unique ID in the header and automatically set new cookies So, I deleted the main session and simply replaced the header with the unique ID — which led to account takeover

@696e746c6f6c lol🤣🤣

@i7z00_ @Hacker0x01 congrats! Hope your next bounty has an extra zero! 🚀

الحمدلله I have earned 5,000 for a critical vulnerability reported at hackerone. @Hacker0x01 hackerone.com/izz00

I was expecting this after i saw @albinowax post on HTTP pipelining, haha; btw @intigriti triage team are just nice.

@sunilyedla2 🫡🖤

@hesar101 Good find buddy and nice writeup 👍

Hey dear hackers! 🐞 New write-up dropped! I believe write-ups should help our community grow, just as we’ve learned from others’ work. Hope you learn something from this! #BugBounty #CyberSec hesar101.github.io/posts/How-I-fo…