MRD7

Bug bounty has changed my life. Thank you to the bug bounty platforms and all the programs. @Hacker0x01 @Bugcrowd Before After

@Masonhck3571 Who is forwarding you Indian memes? 😂

Beginners when they need to explain their AI submissions. 🤣

@Masonhck3571 1. What difference have you noticed from Triager POV? 2.Are you guys receiving more reports than usual? And how many are valid?

Oh we do. I was just about to make a post on how this is reminiscent of when Nuclei came out. People were literally spamming anything Nuclei spat out as low severity or higher. Imagine an open scope vdp program and imagine all the results. Now imagine 50+ hackers doing the same and reporting the exact same nuclei results. Now this feels exactly the same, but much worse. Getting no results on Nuclei eventually pushed you to abandon the tool and learn web app, if you wanted to be successful. I really don’t see beginners willing to abandon Claude to learn and understand web applications and testing strategies. Of course a few will, but in my 5 years of triage, I can almost guarantee that most won’t. And those people will be the first casualties of AI.

@rez0__ @hacker_ It all comes down to this question: "How much did you spend in tokens?"

it was @hacker_

@hetmehtaa Bro, after reading the first line and looking at the pic, I was like, "Wait, is that the culprit?!" 😅.

Let me tell you a story. A mid-sized company. 500 employees. They had all the security boxes checked. Two-factor authentication on everything. Regular security training. Passed all their audits. Their security chief was confident they were protected. Then one Tuesday morning, their entire customer database showed up on the dark web. The investigation took weeks. Nobody clicked a phishing link. No passwords were stolen. No employee did anything wrong. So what happened? They found a digital account created back in 2019 by a developer named Sarah. She left the company in 2020. Nobody disabled her account. Nobody changed its password. For four years, it just sat there with full access to their production systems. The hacker didn't need to trick anyone. They found an access key Sarah accidentally left in public code online back in 2019. That key still worked. Game over. Here's what's wild: When they did a full audit, they found 847 of these digital accounts. Over 400 hadn't been used in over a year. 67 belonged to people who no longer worked there. Nobody even knew what most of them were for. We spend all our energy protecting people. Training employees not to click suspicious links. Adding security checks at every login. But what about all the automated systems running in the background? The digital accounts that connect your apps, run your services, sync your data? There are roughly 46 of these for every single employee in most companies. Most have way more access than they need. Most never expire. And most companies have no idea where they all are. From what I see in security assessments, this is where breaches actually happen now. Not from someone falling for a scam. From a forgotten digital account that's been sitting there for years with keys to the kingdom. We're trying to manage thousands of digital identities with tools built for managing people. And hackers know it. They're not trying to fool your employees anymore. They're just looking for the back doors nobody's watching. That company's breach cost them over $4 million. Fines. Legal fees. Customer notifications. Reputation damage. All because of an account nobody remembered and a key left in public code. If there's one thing to take away: those automated accounts and access keys running your systems in the background? They're probably your biggest security risk. And most organizations aren't even tracking them. Time to start paying attention to the machines, not just the people.

@sudhanshur705 Nice work. 🙌

One more to the list 🙇‍♂️ Learned about Mojo IPC calls this time, was tough compared to Comet browser as it was all internal. Hope you will like the blogpost ,tried to make it a little bit more detailed this time hacktron.ai/blog/hacking-o…

Good DOM resource.

@sudhanshur705 Thank you for the detailed explanation. I should have been clearer with my question. I was wondering whether this could be exploited over a network. But I suppose the answer is no, since there is no parameter that would allow setting the sessionStorage value "badValue" remotely.

@_mrd7_ You have to keep 2 things in mind the source (your input) and the sink (which could trigger xss like innerHTML,etc). What you are seeing here is an eg of source badValue key is controlled by you look out for getter which retrieves that value,see if it ends up in any sink or not.

DOM XSS attention please:‼️ Can this be exploited in real without open redirect? Working payload in console: sessionStorage.setItem('badValue', 'alert(document.domain)'); Link: public-firing-range.appspot.com/dom/toxicdom/e…

@MouhannadlrX0 Link is already shared above. Open the link and check the source code.

@_mrd7_ which challenage please ?

@MouhannadlrX0 Yeah. Actually Google had placed this challenge under DOM (toxicdom) category, so I had written like that. Do you know how it can be exploited?

@_mrd7_ It's not a domxss bro

@sudhanshur705 @TeslaTheGod @S1r1u5_ @0xGodson_ I had no idea @0xGodson_ is Indian! And I was already surprised when @PwnFunction revealed his identity!

@_mrd7_ @TeslaTheGod Thankyouu , hope that was true 😅, there are more talented ones out there @S1r1u5_ @0xGodson_ or maybe some unknown guy with an anime pfp who just loves to play ctf :p they excel at server side as well

Hi @TeslaTheGod, I was watching your video on YT [youtu.be/IY9_MlsNwWM?t=…]. You were talking about Indian client-side folks, then @sudhanshur705 is one of the best out there.

@dropn0w @Hacker0x01 Congratulation. And all the best 👍

Thank you Bug bounty 🤩 Flying to my first @Hacker0x01 Live Hacking Event. Wish me luck! 🍀

5/n #CSP-is-Dead--Long-Live-CSP" target="_blank" rel="nofollow noopener">auth0.com/blog/defending…

script-src 'self' js.example.com; Allows scripts from your domain js.example.com

Learning CSP? Here are few good resources, if you have some good article links or tips please add below. vaadata.com/blog/content-s… 1/n