Illex

Exploiting broken access controls checklist! 😎 #BugBountyTips #HackWithIntigriti

I keep finding GraphQL batching bugs out there. Here's how to find them 👇 Most GraphQL endpoints accept arrays of operations in a single HTTP request. So instead of sending one login request at a time (and getting rate limited after 5 attempts), you send 1000 login mutations in one request. So with a single HTTP request, you can perform 1000 password guesses. The payload might look something like this: [   {"query": "mutation { login(user:\"admin\", pass:\"password1\") { token }}"},   {"query": "mutation { login(user:\"admin\", pass:\"password2\") { token }}"},   ... ] The server processes all of them. Rate limiting usually counts HTTP requests, not operations within a request. So it sees one request and lets it through. Same trick works for brute-forcing OTPs, enumerating user accounts, or any operation where the defence depends on limiting how many times you can call it.

@LooseSecurity Without sensitive information, it can be difficult to prove impact, but this can be a starting point for reaching heap dumps

@pcuco92 I've found these so many times and never felt it was worth reporting. What would the threshold be in your opinion? I typically assume unless there's cloud keys or something impactful that I can demonstrate then it's not worth it.

The Spring Boot Actuators can expose some sensitive informations like env vars, heap dumps, configs, and internal metrics And sometimes, with simple bypass tricks we can find them: actuator/env;.. ;/actuator/env actuator;/env actuator/env%00 actuator/env; ..;/actuator/env static../actuator/env actuator/health/..;/env #bugbounty #bugbountytips #cybersecurity

Some bugs start with weird behaviors like unexpected redirects or fields that "magically" accept invalid inputs REcollapse by @0xacb uncovers the regex magic happening behind the scenes. Fuzz black-box normalizations to bypass WAFs & server-side validations 👇 #bugbountytips

7️⃣ 2FA not enforced on sensitive actions Check if actions like changing email, viewing invoices, exporting data, or adding API keys can be done after login but before completing 2FA

Bypassing 2FA isn’t always about breaking the OTP Sometimes the weakness is in the implementation Here are a few common paths worth testing 👇 #bugbountytips #bugbountytip #bugbounty

6️⃣ Account linking / email change Look for flows where you can change the email, link another identity provider, or invite another account without a fresh 2FA check, then use that linked account to access or reset

5️⃣ Third‑party login loophole If the app supports Google, Facebook, or other identity providers, log in via a compromised OAuth account and see whether 2FA is still enforced or silently skipped

4️⃣ Pre‑2FA session abuse After signing in with valid credentials, grab any session cookie or JWT that gets issued and try using it directly on protected API endpoints before finishing 2FA

3️⃣ Timing window exploitation During login, look for a brief state where a valid session exists before 2FA is applied, and fire a request to a sensitive endpoint in parallel to see if you can slip through

2️⃣ Password reset shortcut Use the “forgot password” flow, set a new password, and check whether you are logged straight into the account without passing 2FA again

1️⃣ Weak OTP throttling Review the OTP verification endpoint for missing or lax rate limiting; if it is poorly protected, a brute‑force attack against the 2FA code might be viable

2️⃣ Password reset shortcut Use the “forgot password” flow, set a new password, and check whether you are logged straight into the account without passing 2FA again

1️⃣ Weak OTP throttling Review the OTP verification endpoint for missing or lax rate limiting; if it is poorly protected, a brute‑force attack against the 2FA code might be viable

Yesterday, we wrapped up our Q1 @Hacker0x01 Italy vs. Portugal hacking competition with an in-person day in Porto 🇵🇹 It was a great day of hacking together and connecting with the local community. Looking forward to the next one! #BugBounty

Portugal vs Italy Leaderboard is ON FIRE 🔥 Time to help Portugal climb that leaderboard! Let's go Team! 🇵🇹 leaderboards.hackerone.live/portugal-vs-it… @Hacker0x01 #BugBounty #HackerOne #Portugal

Google dorking is essential when performing recon! But it can easily become a tedious process... 😓 Xnldorker by @xnl_h4ck3r gathers search results from multiple search engines simultaneously, including Google, Bing, DuckDuckGo, and more! It also features concurrent anti-bot detection and automatic result deduplication! 😎 Check it out! 👇 🔗 github.com/xnl-h4ck3r/xnl…