dirty0124

github.com/suchinsuthar/J…( @shinchina_ )

Celebrating 1 year with the client. Bugcrowd is doing good but client wants to celebrate 1 year relationship with the researcher. :). This is called long term relationship. hehe

@Mdhsan19 @trufflesecurity Hahaha. :)

@dirtycoder0124 @trufflesecurity Last night I made similar one for myself too

Drop subdomains in Get Gemini-enabled API keys out. Automates HTML + JS crawling & AI access testing. Bug hunters — this one’s for you 🔥 github.com/dirtycoder0124… Thanks to @trufflesecurity #BugBounty #bugbountytips Automation of trufflesecurity.com/blog/google-ap…

0xJS is an AI-powered JS security tool; - it can identify API keys, and other medium to critical severity secrets with high accuracy. - also scans for potential security issues in JS i.e DOM-XSS, postMessage, URL redirect. e..t..c - e..t..c; 0xJS v4.0 ( github.com/4osp3l/0xJS )

I just published a video demonstrating how a token scope misconfiguration can silently lead to privilege escalation, where a normal user login becomes an admin-capable session due to improper scope validation. youtu.be/Shv84wdyqlg?si…

🐞If you hunt modern web apps, this guide is worth your time. A deep dive into Next.js security testing covering real attack surfaces — SSRF, XSS, CSTI/SSTI, cache issues, data leaks, and more — with a mindset tailored for bug hunters and pentesters. Frameworks evolve fast, and so do their flaws. Understanding how Next.js handles rendering, routing, APIs, and caching can open doors to impactful findings. Great work by @daoud_youssef — definitely adding this to my testing workflow. 🔥deepstrike.io/blog/nextjs-se… #BugBounty #AppSec #WebSecurity #Pentesting #NextJS #CyberSecurity #SecurityResearch

Claude Code costs $17/month and runs out in 2-4 tasks. The $200/month plan? That's rent money. Here's how I vibe code for FREE with generous limits. Every method is legal and working right now: The thing most people don't understand Claude Code is just a terminal agent. The intelligence comes from the model behind it. And comparable models exist — for free. What you actually need: an open-source agent + a free hosted model. That's it. Method 1: Aider + Nvidia (the best one) Aider is an open-source terminal agent that does exactly what Claude Code does. 30K+ GitHub stars, 15B tokens/week processed, built by Paul Gauthier. This isn't some random weekend project. Setup in 3 steps: 1. Install UV: curl -LsSf astral.sh/uv/install.sh | sh 2. Install Aider: uv tool install aider-chat 3. Go to build.nvidia.com → pick a model (Kimi K2.5 or DeepSeek R1 recommended) → generate a free API key Export the key, run Aider with the Nvidia model, and you have a Claude Code clone. Free. 40 requests/minute, no monthly quota. It initializes Git repos, builds full apps, maps your entire codebase, auto-commits with sensible messages — everything. I've been using this daily for side projects. The quality gap with Claude? Smaller than you think. Method 2: Hackathon credits (up to $100K) Cerebral Valley hackathon gives up to 100,000 Claude Code credits. Not a typo. Anthropic runs these regularly. Sign up, participate, walk away with months of free usage. Even if you don't win, sponsors hand out API credits like candy. Method 3: Alternative platforms • OpenHands — fully open-source coding agent • OpenCode — solid Claude Code alternative • Cursor free tier — not terminal-based, but decent for assisted coding in VS Code • Copilot free tier — 2000 completions/month on GitHub Aider remains my go-to for the closest Claude Code experience. ⚠️ The security warning nobody gives you These models run on third-party servers. NEVER feed them: • SSH keys • API tokens • .env files • Production credentials For personal projects and learning? Perfect. For production with secrets? Stay on paid solutions. This isn't paranoia. A Firebase misconfiguration just leaked 300M conversations from an AI chat app this week. Free doesn't mean careless. My actual setup • Daily coding: Aider + free Nvidia models (95% of my work) • Critical production: Claude Code with Opus (when I need frontier reasoning) • The rule: if it touches real user data or credentials → paid. Everything else → free. Monthly savings: ~$180. The $0 vibe coding starter kit 1. Install UV + Aider (2 minutes) 2. Get free Nvidia API key (1 minute) 3. Clone a repo, run aider, start building 4. Graduate to paid only when you genuinely need it You have zero excuses not to code with AI in 2026. The tools are free. The models are good enough. The only cost is your time learning the workflow. Stop paying rent to Anthropic for side projects. #ClaudeCode #FreeCoding #VibeCoding #AI

🚨BREAKING: You can now run Claude Code for FREE. No API costs. No rate limits. 100% local on your machine. Here's how to run Claude Code locally (100% free & fully private):

HTTP Headers Every Hacker Should Know (Bypass Techniques) Tags: #BugBounty #WebSecurity #EthicalHacking #http_header

🚨 CVE-2026-24061 - Critical Alert 🚨 A critical (CVSS 9.8) vulnerability in GNU InetUtils telnetd lets unauthenticated attackers bypass login and gain root access on affected systems. With an EPSS score ~92%, exploitation risk is extremely high. 📌 What to do: - Patch to the latest GNU InetUtils immediately - Disable Telnet where possible 👉 Full breakdown here: offsec.com/blog/cve-2026-…

@abrarStx It will increase soon.

world scariest moment rn

@abrarStx 286. :(

Seven months ago, someone watched one of my free videos, tried the technique for the first time, and ended up earning an $800 bounty — and the best part? The vulnerability wasn’t even that tricky to exploit. This honestly made my day. The issue was an authorization flaw in a web application, discovered using a simple but often-overlooked approach that I explained step by step in the video. No complex tooling, no fancy bypasses — just clear thinking and understanding how access control should work versus how it actually works. What I love most about this is that the person was a beginner. No years of experience. No elite background. Just consistency, curiosity, and the willingness to apply what they learned. That’s exactly why I keep sharing these techniques for free. If one video can help someone gain confidence, learn a real-world skill, and even earn a bounty, it’s worth it. If you’re interested in learning this practical way to find authorization issues in web applications, feel free to check out the video here: youtube.com/watch?v=lGYCqW…

Here is how chaining a self‑XSS with an HTML email injection resulted in account takeover blog.ayoubnouri.me/blog/when-self…

It's not difficult, as many of you may already know: javascript%0a:alert(origin) //403 javascript%0a:\u0061lert(origin) //XSS So the point is, do not skip XSS on React websites, just start digging JS files to find a hidden input, trace it down to the sink and fire your payload!

🔥Recon is where most bounties are won. 👌Argus is a Python-powered toolkit built for serious hunters: • Faster intel • Cleaner signals • Better targets Stop guessing. Start seeing. 🦅 github.com/jasonxtn/argus

New oneliners 🔥 CVEs 2026 🎇 github.com/KingOfBugbount… #bugbountytips #bugbounty #recon

I'm open to #BugBounty Collab! Especially if you have a tough time bypassing a WAF, ping me. I have been working with some very good and honest people over the years and if you are like that, we will have a profitable and long lasting relationship. Let me know! 😎

XSSNow - The Ultimate XSS Payload Database xssnow.in