Mayur Thool @MayurThool

Hacking Google with A.I. for $500,000 brutecat.com/r/hacking-goog…

Datr cookie theft and AI leading to Facebook account takeover ($24,000) ysamm.com/uncategorized/… Two-click Facebook account takeover via FXAuth ($30,000) ysamm.com/uncategorized/… Self-XSS in Facebook payments flow leads to account takeovers ($62,500) ysamm.com/uncategorized/…

Alright so to end 2025 I am going to post something that people have been requesting for quite some time.. As alot know, I have made over $1 million dollars from SSRF vulnerabilities alone. #ssrftips Below I will provide some information on some of the ways that I beat the blacklists/deny lists and cashed in. Any method I post below has worked for me personally in the past. I am not claiming that any of these ways are 'my' discoveries, and in no way am I trying to claim other's work as my own. Simply answering a question that gets asked of me almost daily. #bugbounty #bugbountytips #togetherwehitharder #ittakesacrowd #hackers #hacking #NewYearsEveBountyTips So lets get into it: Encoding: Everyone knows (or should know) about the ability to encode IP addresses. What alot of people dont know is that you can combine encoding types on a single IP. SO instead of encoding the entire IP, encode single octets etc. Example: Changing the Metadata IP to: 0251.254.169.254 this octal encodes the 1st octet only, leaving the rest of the IP the same. This is the exact method that allowed for my $180,000 from the Yahoo Bug Bounty Program in Oct 2018 Redirects: Alot of SSRF vulnerable functionality will follow redirects. What many people dont consider is multiple redirects. Never stop at just one. I have found many instances where an SSRF followed all redirects, and would properly block the final redirect to the target internal service (internal ip/metadata server). DO NOT STOP AT 1 REDIRECT! Instead of a single redirect, setup a simple php redirect script that will redirect the request back to the same end point multiple times before finally sending to the target IP/host. I have had many instances in the past where the target properly checks the response of the first 1,2, 3 ....6 redirects then magically on the 7th it no longer performs any valdiation and allows you to hit the metadata. I can't explain why this happens, but its happened enough that this is one of the very first things i test for when it comes to SSRF testing. TOCTOU: This is one of my fav's because it almost always can be used to bypass the initial fixes for an SSRF vulnerability. TOCTOU stands for: Time of Check Time of Use. When you pass a url to an SSRF vuln end point, the backend will take the host of this, resolve it (if its not already an IP), check against the allow/block list, then take action. Many frameworks will not cache the DNS lookup response that happens during the initial validation phase. When they forget to do this, having a subdomain properly setup for a TOCTOU check can allow for tricking their checks to allow for hitting banned resources. How it works: Server resolves aws.dawgyg.net to 1.1.1.1 and does their checks to make sure its not a blocked IP. After passing these checks the domain is passed to the function that will actually make the call. If the server did not cache the previous response, it will then resolve the host again as part of the flow to make the request. If you have a properly setup nameserver for this attack, then the instance they make the 1st DNS call, your server quickly changes the DNS entry and points it to the target IP (Metadata/Internal), so that when it gets to the function that makes the request, it resolves the host again and makes the request. HTTP 2 vs HTTP/1.1 vs HTTP/1.0 vs HTTP/0.9 Several have had success with this in the past. And again, I am not sure why this works sometimes. But if the request is using HTTP/2 and blocks your attempt, try and change it to an older version. I have had success with each of the above at least once (most of the time on Yahoo, but others as well). Simple/more common things: dns rebinding, create a hostname on your domain pointing to localhost or an internal IP. simplify the IP. example: 127.0.0.1 is blocked, so try 127.1, or 0.0.0.0, 0 etc. Theres tons of other ways that you can get creative and do things like this. This post is just sharing some of the more fun/more unique ways that I have had success in the past. This is not ment to be an exhaustive list of things to try, and is only ment to start your brain working to come up with weird/random/fun ways to beat the black lists. If you like the information, drop a like/comment/follow and let me know which of the above you have tried in the past, or are looking forward to trying out in 2026. If you end up having success with these, let me know as well!

Just learned a very interesting trick from @0xacb’s challenge at the @Bsideslisbon CTF. If an application uses "magick convert" to modify an uploaded image, it may be possible to achieve LFI by using "text:" One of the file formats supported by ImageMagick is "text",

Because I was asked multiple times "why" and "how" I "still" find Spring Boot Actuators on bug bounty programs - I decided to write a small article. Nothing super special, no 0days, just experience of years of digging and experimenting ;) Maybe someone will find it useful.

Today, we're releasing the new Searchlight Cyber (@SLCyberSec) tools website, which allows you to use several of our open-source tools for free via a web interface. You can self-register at tools.slcyber.io (+ all our wordlists will be released there from now on!)

Sometimes, SQL injection is still possible, even when prepared statements are being used. Our researcher @hash_kitten has written up a blog post about a novel technique for SQL Injection in PDO’s prepared statements: slcyber.io/assetnote-secu…

IP whitelisting is fundamentally broken. At @assetnote, we've successfully bypassed network controls by routing traffic through a specific location (cloud provider, geo-location). Today, we're releasing Newtowner, to help test for this issue: github.com/assetnote/newt…

Exciting News: My Second Write-Up is Now Available! medium.com/@HX007/a-journ… Dive into the details of the bounty that ranks as the 3rd highest I’ve received on @Bugcrowd "A Journey of Limited Path Traversal To RCE With $40,000 Bounty!" Collaborated with @GodfatherOrwa , This Write-Up is not just informative but also a fun read. Enjoy reading and happy hunting! #BugBounty #BugBountyTip #BugBountyTips #Bugcrowd #HackerOne #SOC #CyberSecurity #infosec

@Midhunryann @Hacker0x01 Keep going ✌🏻

7 methods to find all parameters in a page's JS: url.searchParams url.searchParams.get url.searchParams.has window.location.href window.location.search history.pushState history.replaceState There are a ton more but this is a good place to start!

Thrilled to release my latest research on Apache HTTP Server, revealing several architectural issues! blog.orange.tw/2024/08/confus… Highlights include: ⚡ Escaping from DocumentRoot to System Root ⚡ Bypassing built-in ACL/Auth with just a '?' ⚡ Turning XSS into RCE with legacy code from 1996

The whitepaper is live! Listen to the whispers: web timing attacks that actually work. Read it here -> portswigger.net/research/liste…

🔥 XSS on any website with missing charset information? 😳 Attackers may leverage the ISO-2022-JP character encoding to inject arbitrary JavaScript code into a website. Read more in our latest blog post: sonarsource.com/blog/encoding-… #appsec #security #vulnerability

⚠️"Attacking Organizations with Big Scope - from 0 to Hero" was my talk at #HitBxPhdays in Bangkok 🇹🇭. Happy to share the slides and recording with the community. 🔴 Slides: drive.google.com/file/d/1bALcKL… 🔴 Recording: youtu.be/vFk0XtHfuSg?si… Enjoy! #bugbounty #infosec #bugbountytips

🤖 Question of the day: How to set up Discord/Slack notifications for bug bounty findings? Looking to enhance your automation workflow? Ideally, you should have Discord/Slack/Telegram notifications configured for your bug bounty automation to get instant alerts on critical findings and take immediate action. Here's a step-by-step guide on setting up these notifications on Discord/Slack: 1️⃣ Go to github.com/projectdiscove… and install the tool with the following command: go install -v github[.]com/projectdiscovery/notify/cmd/notify@latest 2️⃣ Set up a configuration file using the provided example in the notify repository. Save it as $HOME/.config/notify/provider-config.yaml, and use the custom webhook URL generated from Discord/Slack for your notification channel. 3️⃣ Assuming you've created a channel named "sub-monitoring" on Discord, you can send notifications using piped (stdin) output. For example: For subfinder: subfinder -d hackerone[.]com | notify -id "sub-monitoring" You can do the same for other tools. Here's an example for nuclei: nuclei -l targets.txt -t newtemplates.yaml | notify -id "daily-monitoring" Feel free to reach out if you have any questions. #BugBountyTips #HackerOne #BugCrowd #SecurityTips #InfoSec 🐛🔍🛡️

Slides of my talk in bsidesodisha about •Build your setup for hunting Tools , Extensions , Etc… • Quick Orwa Methodology 2023 • SQL Injection • and for sure #bugbountytips docs.google.com/presentation/d… feel free to ask about anything in comment and will try explained ❤️❤️

I just published a write-up about an account takeover where I abused reverse proxy to hijack the OAuth Code. blog.voorivex.team/hijacking-oaut…

Bug Bounty Tips: 🐛🌟 Want to excel in bug bounty hunting? Don't limit yourself to one program or asset. What if I told you that monitoring new assets and programs from various sources can increase your chances of success? 🚀 Here's a valuable list of sources to track all bug bounty platforms and assets: 1️⃣ Chaos Bug Bounty List - Explore public programs and self-hosted bug bounty program assets: 🔗 github.com/projectdiscove… 2️⃣ Bug Bounty Targets Data - Access programs and assets from bugcrowd, hackerone, hackenproof, intigriti, yeswehack, and more: 🔗 github.com/arkadiyt/bount… 3️⃣ bbscope - Utilize this awesome CLI tool to collect information about private program targets using your API: 🔗 github.com/sw33tLie/bbsco… What can you do with this data? Here are some ideas: 1️⃣ Monitor these sources for new scope updates and receive notifications on Discord, Slack, or via email. 2️⃣ Establish an automated process to handle new targets, such as collecting subdomains and performing basic checks. 3️⃣ Identify interesting assets and start manual hunting to increase your chances of discovering bugs and reducing duplicates. 🕵️‍♂️ Follow these accounts for real-time scope updates: 1️⃣ h1disclosed - Twitter: 🔗 x.com/disclosedh1 - Get notifications on program launches and disclosed reports. 2️⃣ bbradar - Track all bug bounty programs at: 🔗 bbradar.io 3️⃣ inbbupdates - Twitter: 🔗 x.com/inbbupdates - Receive notifications on scope changes. This dataset offers endless possibilities. Don't miss out on this opportunity, as many are already harnessing its potential. Elevate your bug bounty game today! 💪🔒 #hackerone #bugcrowd #cybersecurity #bugbountytips #securitytips #bounty #bounties #follow #motivation 🚀💡

Thanks everyone who attended my keynote presentation at @bsidesahmedabad. I've published my slides here: drive.google.com/file/d/1aeNq_5… I hope that the keynote was informative and inspiring :)