secshad0w1 @TechRubin

man I was reading some articles about sqli exploitation with WAF bypass and I found this crazy good article idk about u but I found it so impressive, professional pentesters owns BB hunters lets just say this vaadata.com/blog/exploitin…

X-Forwarded-Host isn't dead. You're just testing it wrong. Try these variations that bypass WAFs ⚡ • X-Forwarded-Host: target.com, evil.com • X-Forwarded-Host: target.com:@evil.com • X-Forwarded-Host: tаrget.com (Cyrillic 'а') Double-parse vulnerabilities are everywhere.

WAF bypass techniques to achieve IDOR New short course out too youtu.be/X3Wu5_GcEY0 #bugbounty

keyboard_arrow_left Previous keyboard_arrow_right Next

Success in bug bounty requires immense discipline. If you can overcome the distractions and focus hard enough, train hard enough, commit hard enough to find success, you can do anything you put your mind to.

Top 100 bug bounty tips: Always diff JavaScript files – new endpoints hide in subtle variable or function additions. Search for prototype pollution sinks – especially merge, extend, cloneDeep, or custom deep merge logic. Inject Unicode homoglyphs to bypass naive blacklist filters. Force-desync with TE.CL payloads to reveal hidden internal routing. Fuzz for HTTP/2 anomalies – many servers improperly downgrade to HTTP/1.1. Brute-force hidden GraphQL fields using __schema misconfigurations. Inject 2nd-order SQL payloads into logs, exports, or analytics fields. Use non-ASCII whitespace to bypass WAF regex patterns. Probe for /api/v1/export?format= endpoints for RCE via unsafe CSV/Excel exports. Check forgotten CRON endpoints – they often require only a timestamp parameter. Look for internal-only S3 buckets exposed via presigned URL misconfigs. Send invalid JWT algorithms such as alg:none or forged RS256→HS256 key swaps. Exploit file upload “mime-only” validation using polyglot payloads. Use X-Original-URL and X-Rewrite-URL headers to bypass path-based ACL rules. Abuse cache poisoning by injecting %2F, %2e, %2F%2e normalizations. Check for dangling DNS → S3 / Azure / Heroku subdomain takeovers. Smuggle hidden parameters using ;param=value between path segments. Test for PDF-based XSS through annotation JavaScript or embedded Launch actions. Look for weak Origin validation (e.g., *.evil.com matches reallyevil.com). Replay expired password-reset tokens—many APIs fail to invalidate old ones server-side. Inject caching keys with emojis – many CDNs normalize inconsistently. Perform race attacks using 200–500 parallel requests to bypass inventory or money checks. Exploit weak UUIDv4 assumptions – some apps use predictable UUIDv1 timestamps. Test GraphQL batching abuse to bypass rate limits. Look for misconfigured gRPC endpoints reachable via plaintext HTTP/2. Leverage IDOR in PUT/PATCH methods — often forgotten in access checks. Search JS bundles for Sentry DSNs, then check for exposed error logs with PII. Check WebSockets for hidden actions using custom opcodes or internal events. Use JSON smuggling (true, [], "") via Content-Type: application/json; charset=x variants. Try HTTP parameter pollution in both body + query simultaneously. Use intentional UTF-7 mis-detection to force XSS in ancient parsers. Tamper with encryption padding to detect padding-oracle leaks. Try null-byte injection in emails to override routing or create aliases. Search for admin-only HTTP verbs like SEARCH, COPY, PROPFIND. Check for timing attacks on password checks using high-precision RTT measurements. Use CRLF injection to poison logs → chained into 2nd-order exploits. Try OAuth PKCE downgrade attacks by forcing code_challenge_method=plain. Check API diff between mobile and web clients – mobile often has more privileges. Upload GIF polyglots as SVG to bypass extension checks. Attempt XXE via DOCX/PPTX – they’re just ZIPs containing XML. Bruteforce 6-digit TOTP backup codes when rate limiting is only on the UI. Check password reset flows for multi-step state confusion. Abuse template engines like Twig/Jinja2 via SSTI markers {{7*7}}. Replay OAuth id_tokens across subdomains. Many trust them blindly. Abuse Flask debug cookies leaked via JS or logs. Force XML parsers into Billion Laughs to detect XXE-lite behaviors. Check for unsafe YAML parsers enabling object deserialization. Search Burp history for hidden verbs (OPTIONS reveals CORS secrets). Abuse default Kubernetes endpoints if the company exposes dev clusters. Check CSR generation endpoints for key-injection. Use browser quirks: Safari’s weird handling of application/x-www-form-urlencoded. Try serving JS with mixed encodings to bypass CSP. Fingerprint backend tech with subtle error messages via malformed JSON. Test storage bucket CORS policies – many allow * on Authorization. Fuzz chunked encoding boundaries for request smuggling. Check if password reset tokens work cross-site (web ↔ mobile). Probe WAF for bypasses using %c1%9c UTF-8 overlong sequences. Modify JS prototype chains at runtime to change server-validated fields. Test for CSP nonce reuse – reused nonces = instant script injection. Use HEAD requests on internal endpoints to leak metadata. Abuse internal message queues (RabbitMQ/Kafka) if reachable over HTTP bridges. Try DNS rebinding on dev or staging panels. Check image processing libs for RCE via EXIF. Test X-Forwarded-Host manipulation for password-reset link poisoning. Look for insecure MD5 hashes in signatures. Check for WebView bridge injection in mobile apps. Attempt double-JSON wrappers ({"data":"{\"a\":1}"}) to access undocumented parsing. Look for SSRF via IPv6 literals ([::], [::1], IPv6 short forms). Check for open firebase / firestore DBs in mobile apps. Try serving malicious .wasm files to bypass client-side filters. Look for regex DoS on user-supplied fields. Fuzz XXE via SVG upload even when images are "sanitized." Try HTTP downgrade attacks via Upgrade-Insecure-Requests header tampering. Use 0 or null values in request bodies to break logic. Abuse URL parsing inconsistencies (@, #, ?, ;). Look for unsafe server-side PDF generation → template injection. Try "shadow" parameter names using user[0], user[], user (space). Fuzz ETags for cache key manipulation. Exploit SMTP header injection via contact forms. Use binary payloads to find parsers expecting JSON by mistake. Check whether backups leak via /~user home directories. Test GraphQL depth/limit abuse for DoS. Use browser polyglots HTML/SVG/MathML for XSS bypasses. Bruteforce short-lived JWTs when entropy is low or non-random. Test for user enumeration via subtle timing differences. Check for legacy API versions still accepting privileged calls. Try TRACE requests to leak headers and session cookies. Test WebSocket compression (permessage-deflate) for CRIME-style leaks. Inspect Android manifest for exported activities that leak auth tokens. Look for CRLF in redirect URLs for header injection. Fuzz HTML sanitizers for attribute mutations (). Exploit protobuf message fields by adding unexpected nested elements. Bypass filters with malformed XML entities (&;lt;). Bruteforce hidden localStorage flags shielding beta features. Test for insecure direct SQL queries via BI/analytics dashboards. Use timing-based probing on server-side crypto. Look for admin panels under /v2/internal/ or /v1beta/admin. Fuzz for unsafe SSRF via Gopher/FTP schemes. Try poisoning DNS resolvers via malicious NS record responses. Always inspect every binary file — firmware, WASM, mobile libs hide gold.

New bug bounty resource 🚀 The Cache Poisoning Bible - Part 1: Advanced Fundamentals Everything I wish I knew when I started: • Cache key architectures • CDN comparison guide • Advanced detection methods • Real-world patterns medium.com/@Aacle/the-cac…

@Jamani_Khanyi @grok noice 📱

A few months ago, I began studying bug bounties extensively. I've made my list public, and you can submit links to help expand it! docs.google.com/spreadsheets/d…

Find the full article here ⤵️ yeswehack.com/learn-bug-boun…

Use NextJS? Recon ✨ A quick way to find "all" paths for Next.js websites: DevTools->Console console.log(__BUILD_MANIFEST.sortedPages) javascript​:console.log(__BUILD_MANIFEST.sortedPages.join('\n')); Cred = linkedin.com/in/0xsojalsec?… #infosec #cybersec #bugbountytips

@malekmesdour Fantastic write-up! I gained so much insight from this!

A fun NoSQL vuln that caused DOS: I sent a PUT request of {"field":"last_name","value":{"$ne":null}} which persisted and crashed the Teams/Admin UI for all users within the organization LOL #bugbounty #infosec Normal request body was: {"field":"last_name","value":"mason"} Changed it to: {"field":"last_name","value":{"$ne":null}} which caused the backend to store an object instead of a string, so downstream code that expected last_name to be a string caused Teams/Admin UI crashed org-wide.

2015: - Clash of Clans - Subway Surfers - Pokémon - Shadow fight 2 2019: - PUBG - Minecraft - Fortnite - GTA V 2025: - X - GitHub - VS Code - ChatGPT - Cursor

Tip: When testing, try injecting a null byte (\u0000) into unexpected parameters. You never know how the backend will handle it — sometimes a small injection can completely break features like the invitation system. #BugBounty #BugBountytips #Hacking #Cybersecurity

Have you checked out @hadriansecurity's subwiz? It's a recon tool that uses ML to predict and resolve subdomains👇

New Hackyx Version 🚀🚀 hackyx.io - AI Search Mode - New dashboard to manage content - Automatically fetch new write-ups, bug reports and articles - RSS feed crawler - A queue system to handle jobs - Content with embeddings for better search - Filtered content to avoid garbage articles More to come soon, stay tuned

keyboard_arrow_left Previous keyboard_arrow_right Next

This email domain confusion technique from @garethheyes is so cool! Some really weird behavior can be found between different mail agents and the right characters/symbols 🤔

Sometimes you can control the href value in HTML tag<a>. So it's a good place for XSS payload! We've created a scheme how to use various encodings in href to bypass filters. gist.github.com/hackerscrolls/… @XssPayloads #BugBountyTip #Bypass

@Sin4Yeganeh Awesome 😍

I'm thrilled to finally share my research on HTML parsing and DOMPurify at @grehack 2024 📜 The research article is available here: mizu.re/post/exploring… The slides are available here: slides.com/kevin-mizu/gre… 1/3