shuwan

Another vulnerability in React Server Components (CVE-2026-23864) that I reported was disclosed today. This is separate from the one disclosed in December, so you'll need to update again. vercel.com/changelog/summ…

I'm releasing fontleak: a new CSS injection technique to quickly exfiltrate text nodes (and yes, that includes inline scripts). Works on Chrome/Firefox and Safari*. You can use it to escalate the impact of your HTML injection payloads and to solve CTF challenges.

@0xkmikze 🔥🔥

Last day I found an XSS that couldn’t be detected with Nuclei, Httpx, X8, ... cause of aggressive connection handling, even with all options, servers just didn’t respond. So I wrote a lightweight Go tool to reliably test GET/POST parameter reflections. github.com/xkmikze/kzxss/

@debu8er @voorivex congrats 🔥🔥🔥

Allllah @voorivex

@abdollahzadeh_g 🔥🔥🔥🔥

Many people think there’s a golden method or a predefined path that works for everyone when it comes to finding bugs. But it's not true. Imitating others might bring results early on, but in the end, it’s all about building your own signature. That’s the exact mindset I’ve picked up from @voorivex , @Sin4Yeganeh , and @zhero___ and worked to bring into my own methodology. Only those with a unique perspective will spot the bugs that everyone else overlooks.

CSP + WAF + Dom purify + char limit + Http only cookies Yesterday, 8 PM: Found a self-HTML injection. Today, 7 AM: Reported a stored XSS → full account takeover. Chained across two domains — injected on one, triggered on the other

@52_Hz_h1 @voorivex congrats 🔥🔥

First RDP bug down. On to the next. 👾--> 3K Guts Hunters[@voorivex ]

@jusxing @Hacker0x01 🔥🔥

Q2 summary on @Hacker0x01 1- ranked 80 in global leaderboard 2- ranked 52 in highest critical reputation 3- $41k ( Most of IDOR & XSS & Auth) 4- 31 submission ( 4 critical , 7 high, 10 medium, 4 low , 3 duplicates) some of still PPR

@0xkmikze @sina42069 @hossein_kd9 @voorivex congrats 🔥🔥

My opinion about this drama:
We should treat each other with respect. One bad action doesn’t define a person, but it should be corrected. Spreading hate toward any group is unacceptable and only creates division. I’ve been working in the bug bounty community for 2 years and have made many friends from all around the world. Even though I haven’t met them in person, I truly value and respect them, regardless of their opinions, race, religion, or background. I always give respect and receive respect in return. I don’t like this drama because it takes the community away from being productive and only leads to more division.

been using this techniques to bypass many WAFs, open the console in the vulnrable page, run this code to extract variables refering to window object: for(let x in window)if(window[x]===window)console.log(x); then leaverage it to execute JS functions, happy hunting :]

@debug50 🔥🔥🔥

Let’s go, baby!

There’s an Android-only open redirect technique using the intent:// scheme: intent://trusted.com/#Intent;scheme=https;package=non.existent.app;S.browser_fallback_url=https://attacker.com/test;end If checker function only validate the domain and the app isn’t installed, ….

Just found an interesting behavior in Firefox that can be used for XSS: If a response lacks the Content-Type header, Firefox renders it as text/plain. But if the URL ends with an extension like .html, Firefox treats it as that. #bugbounty #bugbountytips

a few days ago i was able to leak OAuth code using a similar technique, i changed the referrer policy of the page using a meta tag and then injected an img, even though the referrer policy header was set, the browser followed the new policy from the meta tag

Super excited to be speaking at Nahamcon this year. Thanks for having me @NahamSec!

Thanks to @Hacker0x01 and my favorite program for this opportunity, hope to see bug bounty folks in Sydney.

If you find a Stored Self-XSS + CSRF login/logout bug, you can steal private info from users. Here’s how it works 👇 /1

finally reached the BBP 2025 Top 10, I’m not pushing for the leaderboard, but it’s somehow motivating. Just been spending my time more efficiently these past months (automation + manual)