Ahmed🇵🇸𓋹𓆃

@souljamusicc بشتغل رسم وجداريات وهاوي في التصوير ودا شغلي

I just earned $9,000 from a single @Bugcrowd target. 2x P2 Broken Access Control on a 7-year-old public program. To anyone hunting for bugs don't skip old programs. The surface changes, APIs get updated, new endpoints get deployed Fresh bugs appear on old targets all the time. #bugbounty #infosec #bugcrowd

Port scanners ranked after 15+ years: Nmap → depth Naabu → simplicity RustScan → speed Pro tip: naabu -nmap-cli gives you best of both 🔗 nmap.org | github.com/projectdiscove… | github.com/RustScan/RustS…

Kigali, Rwanda 🇷🇼

A thread🧵 💸Secrets of automation-kings in bug bounty💸 Finding 1day (or 1month) web exploits that haven't made their into scanners yet can make you big money. Read more to understand where and how to get an edge in this area! 🚨Retweet, follow, & like for more! 🚨 1/x

Gallery dump..

@the_IDORminator Hello there Just i want to say that u can select one column from any page by pressing **Ctrl** and while that start selecting and dragging the mouse to select that column all then **Ctrl+c** 🙊🔥🔥

Let's talk manual testing for IDORs. I have pasted a payload from a redacted T-Mobile API below. It does not have a bug (that I am aware of) on it, I want to use this for educational purposes because its a great teaching opportunity. A: This is a URI path parameter representing an organization ID. You need to tinker with this. B: The request does not ask for URI parameters, but what if you give it some anyway and something changes? C: Changing things like usernames or ID values in cookies can result in behavioral changes. D: Play with the Authorization Bearer token. Does it check signature? Can you change data in it and it still works? If so... very bad. Is it even using the token, or does it use a cookie instead? E: Its saying this is "upgrade-app". What does that mean? What are other values? What does changing it do? F: This is the organization ID. Its the same as in the URI path. If you change both at the same time, does it work? If you change one but not the other, does it work? Are they checked against each other? G: What does this header mean? It has a JWT format in it? Tinker. H: The API type is declared. Can it be changed? If so, can we alter the backend destination? Hrmm. I: Why is my email address in a header? Can I change it to someone else's? Does it check it? J: IDP type, interesting. What are the other values it accepts? K: You get the idea by now, the app name needs to be tinkered with. What does it do? L: Oh look, my user ID. I wonder if its validated against the organization in the URI or header, or payload body? M: My user ID again. What happens if I change M but not L, or L but not M, or change both, or leave both, or one blank, or null? N: Account number. Is this validated against org, user, neither, both? O: OrgID again, also in F and A. 3 places. Are all 3 checked? Is only 1 checked? Are any checked? Why is life so hard? If you take nothing else away from this, understand the complexity in possible combinations/permutations of potential testing for a SINGLE POST on a SINGLE API end point. This is the way. Oh, yea, and you have to check every single one for SQLi, SSRF, and code execution. Duh. 🤣 #hacking #bugbounty #infosec

@Eyaaaad والسودان 🙂🙂

هكذا بدت حركة الطائرات خلال الساعات الماضية فوق قارة آسيا وأفريقيا وأوروبا. بالنسبة لأوكرانيا والمنطقة بين إيران وفلسطين معروف سبب خلو الطائرات فوقها... لكن الذكي يجيب على هذا السؤال: هناك منطقة كبيرة في الصين لا تطير فوقها الطائرات طوال العام... لماذا؟

May 26th 2025

@0x_rood From the website or you can check them here @MicrosoftHelps

@junior0x01 How I can send it?

How I can solve this problem?, I can’t reset password because the associated number is my old number