Kanon

@destro4evr @Deepaksaini7740 I use tools like FFUF and dirsearch, along with wordlists such as SecLists, selecting the appropriate wordlist based on the website’s technology

@xtkanon @Deepaksaini7740 Can u explain like what methods and tools to use to fuzz to get the hidden endpoints?

December achievements finished strong 🥰❤️ I discovered and responsibly disclosed 15 vulnerabilities, including: RCE (Remote Code Execution) 2× IDOR 2× BAC (Broken Access Control) Stored XSS 2× Reflected XSS 4× SQLI Misconfiguration Business Logic flaw Information Disclosure

@haidar_2850 I only performed fuzzing on files and parameters across the websites and found that some hidden parameters are vulnerable

@xtkanon Congratulations Any tips for sql injection please.

@tysonbenson Mostly manual testing with Burp Suite

@xtkanon What tool are you using to track?

@Deepaksaini7740 Thanks, brother❤️ Just trying fuzzing to get hidden endpoints

@xtkanon Congratulations Any tips?

CVE-2025-52664 SQL injection in Revive Adserver 6.0.0 causes potential disruption or information access when specifically crafted payloads are sent by logged in users cve.org/CVERecord?id=C…

Alhamdulillah — one of the achievements I’m most proud and happy about in 2025 🥰❤️ I discovered an SQL injection in Revive Adserver allowing low-privilege attackers full DB access. CVE-2025-52664. Official disclosure: revive-adserver.com/security/reviv… hackerone.com/reports/3395221

@yunxohang Congratulations brother

Got my first 4 digit!

They say October is the month of falling in love... For me, October is the month of falling into vulnerabilities. 💻❤️

@dominic__sr HackerOne platform

@xtkanon Which platform bro

IDOR my favorite bug New zero-click lead to full account takeover

@Monir_Ish I was trying to change the password on the main hacker account and noticed a parameter in the JSON for the hacker's email. I added a userID parameter to the request, and it worked! The victim's account email and password were changed

@xtkanon Share the story please.

Today I reported a vulnerability Information Disclosure And I got it Triaged 😁

مساء الدبلكيت علي عيونك 🚶‍♂️

@yunxohang The challenges ended 4 months ago, but the time of reporting and submitting the report was during the challenges and the bounty awarding period, not after. However, they used a stupid excuse.

@xtkanon Isn't this h1 challenge already over?

How can a program openly steal from you, then fix the vulnerability without a bounty? The answer: #togetherwehitharder #BugBounty

الحمد لله This month, I reported more than 10 vulnerabilities, including: Reflected XSS Stored XSS IDOR broken access control misconfiguration

@GERR4Y عادي حاصله معايا في SSRF وكل ما اكلمهم يقولو لسه بنراجعها استنا شوية 😂😂

يعني إي بقاله 3 شهور pending review؟! هكروان اتجننو

@Abdulluuuu عادي فوق الشهر والشهرين

@AlBoshanji No, but internal files, because the vulnerability is of medium severity.

This month 5 vulnerabilities. SSRF Stored XSS Path Traversal Bypass 401 Information Disclosure #togetherwehitharder