Paweł Hałdrzyński

For the 2nd year in a row, my research was chosen for 'Top 10 web hacking techniques'. It's very encouraging that my 'WAF evasion techniques' is among other awesome researches and that I'm able to share my security thoughts with the #infosec community! portswigger.net/research/top-1…

Rn no one is incentivized to send lows. Creating even a slightly chance that lows might be rewarded - would create that incentive. Also bb rewards impact, if you have a hunch that you have something interesting, but cannot prove it - then it might be reasonable to insert it into audit report, but it's oos for the bb (Program bought bb, not an audit)

Sounds right, but then again, why would someone be incentivized to send Lows/Info if they are not in scope? I mean, by default, you get nothing, and you should expect nothing. It's called good faith for a reason. My idea was that I (or anyone else) would review a codebase. As you do the review, you'll end up with a bunch of issues that you deem worthy of submitting through the BB program, but then you'll also have "leftovers" which may be nice to fix to improve the security of the protocol, but not critical stuff. However, sometimes these leftovers are borderline Low/Medium or maybe you, the SR, don't see the full picture like the protocol does and maybe there's an impact that you don't see/anticipate/think of, but the protocol is aware of. For these situations, the protocol can choose to award you with something, but again, you submit all the leftovers as a gesture of goodwill, not because you actually expect something. The protocol can simply ignore these reports anyway, they are outside the official scope and should not contain critical findings. In theory, "spam" sounds plausible, but in reality, there's no incentive to do it. If you want to hunt for Lows, there are some BBs that also reward Lows; you can just hunt on these projects.

Here's an idea of a feature for BB platforms @immunefi @HackenProof @cantinaxyz @sherlockdefi @code4rena . (just an idea, don't shoot the messenger) I'm pretty sure that a lot of SRs have "leftover" findings that are not eligible for a payout due to the BB program rules. However, sometimes, a bunch of unfixed Low severity issues can lead to a bigger exploit in the future if left unattended. Wouldn't it be nice to have the possibility of sending a "good faith" report, where SRs can put all their remaining findings and send them to the protocol? I call it "good faith" because the SR doesn't expect any payment for these, since these issues are not eligible for payout under the standard BB program rules. However, if the protocol deems the reported issues good enough to fix or the protocol gets value from any of the reported issues, they can decide to pay the SR something for it at their own discretion. This can also address the situations where SRs are not submitting an issue because they deem it low severity, but if the protocol sees it, maybe the devs will see a different (higher) impact. The protocol can act in good faith and award a payout for the submissions. The idea is to eliminate "waste". I don't expect too many protocols to pay for these, but it's a waste of effort to have a bunch of valid findings that you'll never report.

@0xluk3 @0xLaxo If a website like this somehow hits a wallet with actual funds, there's a huge risk it'll drain that wallet before it even shows you the real balance :)

@0xLaxo What’s the difference between browsing this and just randomly generating new keys and checking balance?

you private keys are leaked! ..well, technically, yes. there's a website called keyslol and it stores all private keys that ever been (or could be) generated. yes, all your private keys are stored there. and ANYONE could find it and steal all your assets. or could not? the total amount of addresses is 2 to the power of 160. there are about 7.5 x 10^18 grains of sand on earth, which is about 2 to the power of 76. so if, for every grain of sand on earth, there were a couple hundred other planets just like earth, then the number of grains of sand on all those planets would be about equal to the number of ethereum addresses. the amount of pages on this website is 904625697166532776746648320380374280100293470930272690489102837043110636675 if you managed to find my private key there, i can only appreciate the grind and let you take my stuff. go for it.

@RenwaX23 Congrats! What was your master's thesis about?

Renwa 🎓 MSc. Information Security

I'm super excited that my research: "Disguises Zip Past Path Traversal" has been nominated to PortSwigger's Top 10 web hacking techniques of 2025. If you've enjoyed the read, a vote would mean a lot! Link to vote in the replay below 👇

@PinkDraconian @adityatelange tbh, that depends on how you define a security feature ;). If its purpose is to reduce risk or prevent attacks - then yeah, it's not a security feature. But, if security feature purpose is enforcing intended access/policy, then we could call it a security feature

@adityatelange Something that can only be used to remove security can't be called a "security feature", right?

|￣￣￣￣￣￣￣￣￣￣￣| CORS is not a security feature! |＿＿＿＿＿＿＿＿＿＿＿| \ (•◡•) / \ / --- | |

@ljachowicz dzięki ;)

Yay! Congratulations, @phaldrzynski! #cybersecurity

Or maybe - let's normalize the triaging process first (right now, one Triage accepts the bug, while the other rejects it or miscalculates the CVSS for the very same issue). Then, let's fix the problem with programs' responsiveness - you don't expect people to stake their cash and lock it up for who knows how long, do you? Next, we should be careful not to throw the baby out of the bathwater. While staking a few bucks is a non-issue for Europe, there are many very talented young people from lower-income countries who simply cannot afford that amount. We should encourage them to participate in the bug bounty world, rather than discourage them with pay-to-submit requirements. After that, pay-to-submit fails because the researchers don't know the company's impact assessment upfront. If I knew an issue would be rated Low, I'd be OK to report it for free, but wouldn't lock up funds to submit it. This is actually unfixable issue, as every company evaluates risk and impact differently. Lastly - 5x stake back idea - that's not how the bug bounty budgets works, lol. And it's not how they should ever work - payouts are meant to reflect risk and impact, not how much someone staked. Not to mention, that your model rewards risk tolerance, instead of report quality (subtle or hard to reproduce bugs will likely go unreported, because the risk of rejection is too high).

Be sure to check all nominations - there's plenty of great content there! portswigger.net/polls/top-10-w…

TBH, it's pretty difficult to determine the exact fine amount (thus calculate a fixed % based on it) - until an actual breach has occurred. Take a look at GDPR fine examples - they vary widely. However, what you are suggesting, is starting to happen in web3 bug bounties - where some protocols decide to pay a percentage of the affected funds (as it's easy to simulate the exact amount of funds at risk).

I agree This is why again I really think if your company handles certain data or makes a certain amount of money or something they are required to be a part of one of the bounty programs. And bounties should be a fixed percentage of what the fine would have been. Watch how fast vulns get fixed then Its wild this isn't already a thing when cyber attacks are at the top of the list of worse things that could happen to us Soldiers cant reach us. Nukes would be shot down. Our one main vulnerability is cyber lol

$100k is a lot of money... In the last year ive been approached by a few exploit broakers Its really weird because they fully operate in the open, but it just doesnt feel legal what they do For the most part its always just been a general "hey you should reach out to us" Im in a chat channel where without giving details or methodology I have some people I discuss exploits I find with. In the last month ive found 2 massive Pii leaks One is an ISP the other is a large scale customer and operations management system Neither has a bug bounty program, 1 has a vdp I was offered around $100k for both. Forget about me, do you know what $100k would do for my non-profit animal sanctuary? For all my cats? I wanna be clear im not going to do it. I got out of the military because I was afraid of how my actions were negatively effecting the world around me. I just cant be the cause of other people's pain. But at the same time I also feel a moral dilemma with just "responsibly disclosing" these 2 MASSIVE pii leaks and just letting them silently patch it without reprocussions. Both situations make me feel like im doing a bad guy a favor... especially because 1 of these companies just got hit with millions in fines for a Pii leak in the last few years and here they are doing it again... So yea I dont believe they should get a FREE free pass. As in not paying out for it, AND walking away consequence free Call me crazy but I think there should be laws requiring companies that handle certain data to be a part of bounty programs. And bounty payouts should be a fixed percentage of the fines they would have received. You can argue there is no point of fighting this and nothing will ever change, but let me remind you im the same person that got Microsoft to change their entire bounty program End rant.

@axelfl_hs @Mar0_0uane @0xdef1ant AFAIR, Location: ws:// used to work on Firefox only (not sure if it still works on the newest version, though)

@Mar0_0uane @0xdef1ant A Location header like "ws://xxx" or "wss://xxx" should also work

☝️did you know: if you have CRLF injection on a 302 redirect, you can still trigger XSS by providing an empty value for the "Location:" header #bugbountytip #hackerone

Very nice finding! We can confuse WAFs even more by nesting incorrect HTML tag names. The browser will execute the first valid one. Also, to confuse WAFs which look for matching brackets, we can get rid of the > from the SVG tag - as browsers will treat > from the non-valid tag as the closing bracket for the SVG tag.

@chrisdior777 💯 This is very good book. It allows to understand many concepts at the math level. Sitting down with a pen and working through the math formulas yourself will lead to deep understanding of those topics

Sometimes you need to go back to basics to actually level up. This book is AMAZING. Crazy good breakdown of how AMMs really work under the hood: pricing, liquidity, and trades across Balancer, Uniswap V2/V3, and Curve Finance. Mandatory read if you’re serious about DeFi.

@Marcinql @prywatnik Screenshot jest chyba przetłumaczony, oryginalna wersja na stronie jest po niemiecku ;)

@prywatnik Zwracają się do kandydatów po angielsku... Ciekawe, jaka byłaby kwalifikacja prawna podjęcia takiej pracy np. przez obywatela Indii w służbie niemieckiej dokonującego hakowania systemów informatycznych np. Rosji...

Niemiecki wywiad (BND) rekrutuje hakerów. W ofercie możliwość hakowania systemów na legalu, w służbie krajowi. Mowa tu o działaniach cyber ofensywnych. W ramach obowiązków to m. in. włamywanie się do systemów, tworzenie narzędzi do hakowania, trojanów, spyware, eksfiltracja (wykradanie informacji). BND celowo zwraca się do osób z kultury hakerskiej.

@Behi_Sec Out of curiosity, what specifically made ssrf hard to understand for you?

Which vulnerability took you the longest to fully understand when you started? It took me a long time to fully understand SSRF 😅

In many cases - a semicolon does the trick: /;/actuator/heapdump or /actuator/heapdump; Rarely - path-traversal like patterns work, e.g.: /actuator/health/../heapdump or /actuator/health/..;/heapdump Almost never - but worth a try anyway: passing the actuator path via X-Orginal-URL (and similar) headers.

#BugBounty #bugbountytip @the_IDORminator @damian_89_ Tried arcanum tips. What else can be tried?

@the_IDORminator Report from 2021. Nowadays, SameSite defaults make proper CSRF chains much harder - luckily, in many cases - it's still doable ;)

CSRF: The forgotten bug CSRF, or cross-site request forgery, usually falls into one of two buckets -- an entire web application is vulnerable, or just certain pages of it are. Applications which are vulnerable to CSRF allow attackers to perform actions on behalf of other users without their permission (and sometimes without their knowledge). For a CSRF issue to be a meaningful bug in #bugbounty, it needs to have an impact on the account that matters. For instance, if "X" -- which you are currently on -- had a CSRF issue, I could send you a private message with a link in it, or even make a post with a link in it. When you or anyone else that is signed into "X" clicks the link, it will perform an authenticated action on the "X" platform using your account credentials (since you are signed in), without your permission. This could, as an example, delete your account, change your profile image, change your account name, export data, change your password, send a message, make a post -- all kinds of things, depending on the specific issue. This works if an applications authorization mechanism is susceptible to CSRF and common mitigations are not in place, such as unique headers or parameters with tokens. If you are not familiar with this bug class, can hit up @grok and learn all about it. Sometimes its an easy win in bug bounty, particularly if you notice an entire app is lacking mitigations. #hacking #appsec #infosec

You cannot discuss identified vulnerabilities in both private and public programs. So no, for exactly that reason @prakhar0x01 shouldn't name the program (even if it's a public program). TBH, why do you even think this is any of your business what the name of the program is? As long as this was actually a bug bounty target, he did nothing wrong.

Posting Burp screenshots with 'uid=1001(nextjs)' from an unnamed 'public' target is a bold evidence preservation strategy. When someone asks 'is it a private program' and you answer 'Public' instead of naming the program, that's not the defense you think it is.

Well, if you believe this is novel and might be used by threat actors, then ASAP responsible disclosure would be nice thing to do, rather than waiting till someone else buys the subscription to get it. @cramforce ran their BB program to improve their WAF and protect customers from this. You might take a look at it if you think that what you honeypot caught is worth noting and might bypass WAFs x.com/cramforce/stat…

@phaldrzynski @DefusedCyber frankly i have no idea. Someone can get access and test it :)

Actor exploiting CVE-2025-55182 (React Remote Code Execution) from AS 399629 ( BLNWX ) 🇺🇸 Actor is using a novel previously undocumented exploit path in their exploit Event with payload [Defused TF sub required] 👇 console.defusedcyber.com/s/d9afdfc8-f81…