Jadek Mark

So these are still out there? 😬 This was from a simple GET request that took a PageId parameter and returned some data in the response. #bugbounty #bugbountytip

Yesterday I almost learned a very expensive lesson about property transactions in Kampala. While buying property in Kawempe, the LC1 chairperson who had helped confirm ownership & draft the agreement insisted that he was entitled to a minimum 5% of the value of the property (80M), which gives him about 4 million shillings. Since there were sufficient documentation about ownership such as copies of previous sales agreement (from the deceased), letter of administration (high Court family division), title from BLB, copy of the will, consent letter from family of the deceased through their lawyer and immediate neighbors willing to witness, we felt the 5% charge by the LC1 was really unfair. On top of LC1 there were land brokers and other people to settle. Both the seller and I felt this was excessive, tried to negotiate and offered to facilitate his office with a modest amount, of about 1M, but he declined and walked away. We later completed the transaction through a lawyer (legal firm), and that’s when we learned something important: Under Ugandan law, an LC1 chairperson is not entitled to any percentage of the value of property being sold(0%). Their role is mainly administrative, witnessing, writing introduction letters, or confirming residence and any fee is normally small and fixed, not a commission. This experience reminded me of a few things: 1. Always verify the law before agreeing to payments that “everyone says are normal.” 2• When dealing with land or property, involve a qualified lawyer and ensure proper documentation is availed & verified 3• Sometimes the difference between losing money and protecting it is simply asking questions. I'm quite sure that majority of you didn't know what the law speaks about LC1 and their role/entitlement during sale of property. Anyways Let’s keep sharing information and educating one another. Knowledge is not just power, it is also protection. Shared one Social Media user. What are your views on this,,,,????

#SQL Injection Polyglots (Tested on MySQL & MariaDB) &1/*'/*"/**/||1#\ and-1/*'/*"/**/||1--+\ It performs injection on single and double quotes scenarios plus quoteless ones (where the injection lands in 2 consecutive points of the query). Use it in ALL input fields at once.

On one of the recent engagements, the target was vulnerable to SQL injection, but the DBMS used was Oracle. During testing, we noticed that the application was filtering SELECT, AND, OR and similar keywords, along with || to prevent string concatenation. After a few attempts, I managed to bypass the application's filtering using newline characters like %0a and %0d in the request. This only allowed bypassing the SELECT keyword; AND and OR operators were still detected. To use a traditional CASE WHEN construct, we needed string concatenation, but || was still being blocked. At that point I tried |%0a| and realized that Oracle actually allows newlines between the concatenation operator. This made it possible to exploit the issue and extract data from the target. The final payload looked something like this: String'|%0a|(case when (select%0ausername%0afrom%0all_users%0awhere%0atrim(username)%0ais%0anot%0anull%0afetch%0afirst%0a1%0arow%0aonly)='' then '1' else to_number(user) end)|%0a|' This forced the application to generate an error when the false condition was triggered. I hope this gives an idea for whoever reads this to never giving up and trying unusual, unexpected stuff during testing. #BugBounty #pentesting

Empowering young mothers and survivors of violence through skilling programs like braiding and tailoring! These skills not only boost their income but also build confidence and independence. The beneficiaries in Kalangaa tell their stories. files.fm/f/6387hmhke8

@Airtel_Ug , we paid for the Airtel Xstream service renewal some time last week and haven't had the package activated up to date despite sharing the requested details via DM. As such we are stuck and unable to proceed with our operations. Can this be resolved

SQL injection is still out there! Here are 5 simple manual detection methods you can try. 1. Simple breaking characters Hit parameters with breaking characters like ', ", ) or ; to see if the app returns errors or behaves differently. If you can make the server leak an SQL error, or even just produce an unusual response, that’s your first scent. 2. Test boolean conditions Swap a parameter between a true and false condition. If the page reacts differently, the parameter is likely being used in a WHERE clause. For example: ?id=5 AND 1=1 (should behave normally) ?id=5 AND 1=2 (should behave differently) If you're dealing with blind SQLi, this is a very good sign. 3. Timing differences If the app doesn’t show errors or different responses, use time-based checks to force a noticeable delay. Examples: MySQL: ?id=1 AND SLEEP(5) Postgres: ?id=1 AND pg_sleep(5) MSSQL: ?id=1; WAITFOR DELAY '00:00:05' If the page hangs for a long time, you've likely found a time-based blind SQLi. 4. Fuzz parameters that don’t look injectable People forget that SQLi can hide anywhere: Headers, hidden form fields, JSON bodies, cookies, WebSockets. 5. Try different input data types Many SQLi cases pop up when you send types the backend isn’t expecting. Example: If ?id=10 works fine, try: ?id=abc If you get type handling errors, there's a chance that the dev didn’t parameterise the query properly. What are we missing?

Weird graphQL IDOR / access control bypass: In this one, graphQL would check the "tin" (tax identification number), if supplied, against the Bearer token. If the Bearer did not have access to the tin, you would get access denied. Normal stuff there. So my thought was, how could I make the server still lookup the tin value without the access check? It regularly expected: \"tin\" This causes the server, since "tin" is present, to check access control prior to returning data. What worked was: \"tin\\\"\" So adding \\\" after tin bypassed the access control logic (for some reason), meanwhile the graphQl query still ran and sent back the PII for any TIN I sent it. #bugbounty is just strange sometimes. Some of the battle is finding neat endpoints and places, and some of it is endless tinkering.

Simple SQLi I don't usually hunt SQL injection, but I will usually at least take the time to try some single quotes to see how the server responds because it only takes a few seconds. If I get a database statement or error back, or one quote errors and two single quotes does not, often times its a simple indicator of SQLi. This is the same way I find most XSS I've logged, its just the real obvious ones. In the case of this bug, I had found an exposed set of webservices. This particular injection, if I remember correctly, returned the data for all users instead of just one, indicating the injection was working. The entire set of web services had SQLi issues though. The thing here was finding the exposed web services in the first place, which was referenced in JS files. After that, the thought was - do I go the auth bypass route or SQLi for most impact? The data returned wasn't particularly sensitive, so I went the SQLi route to insure it was a critical. I always stop when I know for sure I have injection, there is no point to play "HTB super l33t h4x0r" and try to go any further with it, and most companies appreciate that you don't. They can always ask you to do more later. #hacking #bugbounty

Introducing my Bug Bounty Masterclass. 100% free. I've made $2,000,000+ finding security bugs. I spent the last year turning my methodology into a complete blueprint. 4 hours of video - foundations, reconnaissance, web proxies, hands-on challenges, and certification. Finish it in a weekend and start hacking real-world applications 🐞

SSRF - Internet to Internal #CyberSecurity Try to find the internal domains for targets using tools like crt.sh, shodan, censys, etc. Once you have some domains, blast them into any params you suspect may be susceptible. This one allowed total internal network access from internet. As a side note, don't forget to check any JS files on your target for domains the files reference. Often times, the dev/uat/preprod environment paths are in there, as well as other internal paths (docker, kube, etc) as well as which cloud provider is being used (azure, aws, goog, etc). As you work longer on a single target, you really get to know it...

You can make extra cash doing #remotework by hacking major companies with numbers that you learned in grade school. In this $10,000 bug, I swapped 6532323 to 6532322 and dumped another persons account information. Repeat a million times = data breach. It ain't hard folks!

The @MoWT_Uganda published approved Motor Vehicle Inspection fees for all vehicle categories. Vehicle owners are encouraged to review the fees, comply with inspection requirements, and help promote safer roads and responsible transport across the country. #OpenGovUg

It’s time to lock in. If you’re struggling with bug bounties, spend the next few weeks finding a target you personally enjoy. Bigger the scope the better! Then focus on them everyday for the entire year. Aim to hack 2-3 hours minimum a day. You’ll learn lots and find bugs. GL!

Fortune 50 company, IDOR. I'm logged in as me, but it returns PII for any user by customerId only. The client did not even use customerId, I just added it to see what would happen. How did I know to try customerId? Hrmm.. #websecurity

This is what a $55,000 bug can look like, just add "/actuator/heapdump%23" and maybe it sticks. Sometimes devs leave Spring Boot actuator wide open. All the secrets were redacted in /env, but heapdump sends ~100MB of live server-side memory with live auth tokens. The %23 was to bypass the WAF trying to block it, sigh. Start with "/actuator" or "/actuator/health" and if it hits, try all the other possible paths. #hacking #cybersecurity

In Uganda's Bugiri District—once infamous for skyrocketing GBV and SRHR barriers—the Heroes for Gender Transformative Action ignited change. Former victims (later called survivors) found vital support, and most reunited with their partners. They used drama to appeal to the community. This play was performed live by those very women on December 9, 2025, during the final celebrations in Bugiri District's Wakawaka Parish.

Unite to end digital violence against all women and girls. #16DaysOfActivism

Gender-Based Violence is one of the worst treatments anyone should be subjected to. Ending GBV is essential to keep families happier and safer. Today we highlight some successes of the Heroes Project.

@YnoofAssiri @intigriti Congratulations @YnoofAssiri . Always an inspiration.

With my latest SQLi find, I have reached 10K reputation on @intigriti. Shoutout to @intigriti ♥️