Vishal Vishwakarma

Here are 27 ways to learn ethical hacking for free: Credit: @danielmakelley Thread 🧵 ⬇ #infosec #bugbountytips #ctf #hacking 1. Root Me — Challenges. 2. Stök's YouTube — Videos. 3. Hacker101 Videos — Videos. 4. InsiderPhD YouTube — Videos. 5. EchoCTF — Interactive Learning

Day 5 / 30 — JAVASCRIPT FILE ANALYSIS JS files leak endpoints, API keys, internal infra. Read them. Don't just scan. Tools: → subjs — github.com/lc/subjs →getJS — github.com/003random/getJS → LinkFinder — github.com/GerbenJavado/L… → JSluice — github.com/BishopFox/jslu… → SecretFinder — github.com/m4ll0k/SecretF… → trufflehog — github.com/trufflesecurit… Read the comments. Devs leave goldmines. #bugbountytips #javascript #bugbounty #infosec #cybersecurity

Recon Tip: bugbounty.zip → Browser-based toolkit for handling URL & domain lists ✅ Add HTTPS, remove dupes, replace words ✅ Extract endpoints, parameters, path words ✅ JS Scanner, SubTreasure, OTP gen ✅ Export to CSV/JSON No install. Just paste & go ⚡ 🔗 bugbounty.zip #bugbounty #recon #infosec #bugbountytips

Need to analyze any website fast? Web-Check → All-in-one recon tool that pulls: ✅ DNS, SSL, headers ✅ Tech stack & subdomains ✅ Server info, cookies, security posture 🔗 web-check.xyz Perfect for bug bounty recon 🎯 #bugbounty #OSINT #infosec #bugbountytips

🎯 Bug Bounty Tip: Hunting on targets running Jira, Confluence, Bitbucket, Jenkins, Solr, or Nexus? Bookmark this PoC goldmine 👇 github.com/shadowsock5/Poc CVEs + payloads ready to test. Save hours of recon. #bugbounty #infosec #cybersecurity #bugbountytips

Bug Bounty Tip 🎯 - WordPress /wp-json/wp/v2/users/ Still Works in 2026 WordPress user enumeration via REST API is old. It still works everywhere. curl target.com/wp-json/wp/v2/… Got: name, slug (= login username), user ID, profile URL Then the chain: Username known → /wp-login.php?action=lostpassword → host header injection in reset email → ATO Add it to your checklist. It takes 2 seconds and the slug is usually the WP login. #bugbountytips #cybersecurity #wordpress #recon

Day 4 / 30 — PARAMETER DISCOVERY ARSENAL Hidden params = hidden bugs. Skip this step and you skip half the attack surface. Tools: → ParamSpider— github.com/devanshbatham/… → Arjun (@s0md3v) — github.com/s0md3v/Arjun → x8 — github.com/Sh1Yo/x8 → Param Miner — Burp BApp store → gf(@TomNomNom) — github.com/tomnomnom/gf gf patterns repo: github.com/1ndianl33t/Gf-… #bugbountytips #recon #paramspider #infosec #cybersecurity

Bug Bounty Tip 🎯 - Commented-Out Registration = Hidden Attack Surface Always read the login page HTML source before moving on. Found this in a company's login page: The link was commented out. The endpoint was still live. The registration form had a role dropdown: Admin, Champion, Lead Coordinator. Any stranger could register as Admin. No invite. No restriction. No check. Hidden != Deleted. #bugbounty #bugbountytips #infosec

Day 3 / 30 — URL & ENDPOINT COLLECTION Got alive subs? Now collect every URL ever associated with them. This is where the gold is. Tools: → waybackurls (@TomNomNom) — github.com/tomnomnom/wayb… → gau — github.com/lc/gau → katana — github.com/projectdiscove… → hakrawler (@hakluke) — github.com/hakluke/hakraw… → gospider — github.com/jaeles-project… → paramspider — github.com/devanshbatham/… #bugbountytips #recon #infosec #cybersecurity

Day 2 / 30 — LIVE HOST PROBING WITH HTTPX Once you have subs, find what's alive. httpx is the standard. The flags matter. Tool: github.com/projectdiscove… Flags that earn bounties: → -mc 200,301,302,401,403 — match codes → -tech-detect — fingerprint the stack → -title — page titles surface dev/admin pages → -sc -cl — status code + content length → -favicon — favicon hash (use with Shodan) → -screenshot — visual recon → -threads 200 — speed #bugbountytips #recon #infosec

🔥 Ultimate IDOR Testing Checklist 🔥 📌 mrdesoky0.notion.site/Ultimate-IDOR-… IDOR is still one of the most impactful bugs in bug bounty. Many critical findings start by simply changing an ID in a request. 💡 This checklist covers: ✔️ ID & UUID manipulation ✔️ API & version bypasses ✔️ Multi-account testing ✔️ GraphQL & WebSocket ✔️ Race conditions & batch abuse ✔️ Mobile, gRPC & blind IDOR If you want high-impact bugs, don’t skip this. 🚀 #bugbountytips #bugbounty #infosec #cybersec

@xtremesecurity Subfinder

@rootxvishal Which tool do you use your API keys in?

Day 1 / 30 — SUBDOMAIN ENUMERATION STACK Don't rely on one tool. Stack them. The bug lives in the sub only one tool found. Tools: → subfinder — github.com/projectdiscove… → amass — github.com/owasp-amass/am… → assetfinder — github.com/tomnomnom/asse… → findomain — github.com/findomain/find… → chaos — github.com/projectdiscove… → github-subdomains — github.com/gwen001/github… → shuffledns — github.com/projectdiscove… #bugbountytips #recon #infosec

WAF Bypass with Comment Injection - Bug Bounty Tip 🎯 When SQL injection is blocked by a WAF, try comment-based keyword splitting. UNION SELECT → blocked UNION/**/SELECT/**/NULL-- → 200 ✅ The WAF pattern often matches keywords separated by spaces. Injecting comments breaks the pattern without affecting SQL parsing. Test payloads: AND/**/1=1-- OR/**/1=2-- UNION/**/ALL/**/SELECT Useful as a stepping stone before identifying a truly injectable endpoint. #bugbountytips #bugbounty #infosec #cybersecurity

I’ve learned a lot from this community over the years. Now it’s time to give back. For the next 30 days, I’ll be sharing one bug bounty tip every day — real recon stacks, payload lists, Burp tricks, resources, and tools I actually use. Day 1 starts tomorrow. Follow along if you want to level up 🚀 #bugbountytips #bugbounty #infosec #cybersecurity

🚀 My Nuclei template just got merged into @pdnuclei templates by @pdiscoveryio ! Detects default login credentials on IBM Mobile First Platform (MFP) — a common misconfig that exposes enterprise mobile backends. 🔗 github.com/projectdiscove… #BugBounty #Nuclei #InfoSec

@AlteredSecurity CARTP

Another exciting giveaway for our community as part of the Month of Azure Red Teaming 2026. We’re giving you a chance to win FREE access to our Azure Red Team courses: • CARTP® (Beginner) • CARTE® (Advanced) If you’ve been looking to build real-world Azure Red Teaming skills through hands-on labs and practical attack paths, this is your opportunity. How to participate: • Like and follow us • Comment which course you’re interested in and why • Repost this post We will announce the random winners on April 25, 2026. Don’t miss this exclusive Month of Azure Red Teaming offer: Flat 20% OFF on our Azure Red Team courses Use code: MOART20 Valid till May 5, 2026 Explore now: alteredsecurity.com/azure-red-team… #Azure #RedTeaming #CloudSecurity #CyberSecurity #AzureSecurity #Giveaway #AlteredSecurity

@higgsfield_ai 😶‍🌫️

For 12 hours: follow, like, retweet & comment = FREE 5 credits