✎ The perils of the “real” client IP & X-Forwarded-For Header

You've probably seen headers like these in common 403-bypass wordlists (e.g., my gist):

X-Forwarded-For: 127.0.0.1
X-Forwarded-Host: 127.0.0.1
X-Client-IP: 127.0.0.1

…and hundreds of similar variations (with 127.0.0.1, localhost, 192.168.1.1, internal IPs, etc.), but have you ever stopped to wonder why they sometimes actually work to bypass IP-based restrictions, rate limits, or 403/401 responses?

The answer lies in how unreliable and inconsistent the handling of "real client IP" headers is when a web application sits behind a reverse proxy (whether that’s a CDN like Cloudflare, an AWS ALB, a simple Nginx instance, etc.). It’s quite challenging for developers, because there’s no universal, standardized way for proxies to convey the original visitor’s IP to the backend and even less consensus on how the backend should parse and trust that information.

As a result, developers often rely on headers like X-Forwarded-For, X-Real-IP, or True-Client-IP to detect a visitor’s “real” IP address. But many frameworks use fragile logic especially the common pattern of trusting the left-most value in X-Forwarded-For. This is dangerous because the left-most entry is fully controlled by the client.

Cloudflare, AWS ALB, and many other proxies append the real IP to the header instead of overwriting it. So an attacker can send:

X-Forwarded-For: 127.0.0.1

and it becomes:

127.0.0.1, <real attacker IP>

Many libraries (like go-chi/httprate in Go) will mistakenly trust that spoofed first value. The app then believes the user is localhost or a trusted internal IP and may skip rate limits, authentication checks, or internal-only protections entirely.

This is not rare! dozens of frameworks and servers (Express, Jetty, IIS, Go libs, etc.) use inconsistent or insecure parsing strategies. The root problem: trusting client-controlled forwarding headers without restricting which proxies are allowed to set them.

• I summarized the blog, but I highly recommend reading the full article here: Article

#bugbounty #recon #HTTP #bypass
© t.iss.one/BugBounty_Diary

✎ rep+ - a lightweight HTTP Repeater inside Chrome DevTools

Finally, someone created a clean, native way to send requests without leaving the debugging context or having to install certificates and set up proxies. It even has built-in AI for explanations and attack ideas!

• Repository: Github

#bugbounty #recon #HTTP
© t.iss.one/BugBounty_Diary

✎ Useful Browser Extensions for Bug Bounty Hunters (New Update) - I categorized them by browser compatibility, but some of them are available on both.

• Firefox

➤ Link Gopher
➤ Adblock Plus
➤ FoxyProxy Standard
➤ Video Speed Controller
➤ Check XSS
➤ HackTools
➤ Bulk URL Opener
➤ Temp Mail
➤ JS Beautify CSS HTML
➤ Multi-Account Containers

• Chrome

➤ TruffleHog
➤ Code Formatter
➤ Freedium Extension
➤ BuiltWith
➤ Wappalyzer
➤ WhatRuns
➤ Retire.js
➤ Cookie Extractor
➤ Wayback Machine
➤ EXIF Data Viwer
➤ Shodan
➤ S3 Bucket List
➤ Ublock Origin
➤ Resources Saver
➤ Dot Git
➤ EndPointer
➤ FindSomething
➤ Gecko
➤ rep+

#bugbounty #Extension #Browser
© t.iss.one/BugBounty_Diary

Just received a $4,000 bounty for multiple one-click account takeovers.

The scenarios were really interesting and educational, especially the OAuth bugs I discovered in a very popular company.

A full write-up will be published next week on my Hashnode. Stay tuned♥️

Follow me on Hashnode:
https://hashnode.com/@mirzadzare

✎ Common Rate Limit Bypass Techniques

IP Spoofing
Altering a request’s source IP to appear from another device, and rotating IPs lets an attacker bypass per-IP limits. You can use the following Burp Extensions for IP Spoofing:

• BurpFakeIP: GitHub
• IP-Rotate: GitHub

Changing User-Agent
Rate-limit systems often track the User-Agent header; changing or randomizing it makes requests appear from different clients, and attackers may brute-force the User-Agent field (e.g., with tools like Burp Suite Intruder).

Header Manipulation
Header manipulation alters HTTP headers (e.g., X-Forwarded-For, X-Real-IP) to trick servers — bypassing IP restrictions, evading rate limits, or hiding the real IP from logs and filters.

• Common Headers by 🕷Spix0r

Requesting with Different HTTP Methods
Some rate-limiters monitor only certain HTTP methods (e.g., GET/POST); attackers may bypass them by sending requests with other methods (PUT, DELETE, OPTIONS) and testing alternatives (e.g., with Burp Suite Repeater).

• HTTP request methods

Parameter Name Variation
Some backends accept alternate parameter names and still process requests, enabling attackers to bypass input filters, WAFs, or login restrictions.

username=admin&password=1234
user=admin&pass=1234
uname=admin&pwd=1234
login=admin&passwd=1234
u=admin&p=1234
email=admin&key=1234
id=admin&token=1234

Encoding Tricks
Encoding represents characters in different formats; attackers use encoding to obfuscate payloads and bypass input filters, WAFs, or validation rules.

user=admin%20        # space after admin
user=admin%00        # null byte injection
user=%61%64%6d%69%6e # 'admin' in hex
user=ad%6Din  # only 'm' is encoded
user=%2561%2564%256d%2569%256e  # double-encoded 'admin'

Case Sensitivity and Font Tricks
Case or character-variant changes in strings (emails, usernames, paths) can let attackers bypass security checks or exploit improper validation.

Email: [email protected]  # Mixed case
Email: [email protected]   # Lowercase
Email: [email protected]   # Uppercase

Using Look-Alike Characters

Email: [email protected]   # '3' instead of 'e'
Email: t@[email protected]   # Replacing 'l' with 'I' or vice versa

Blank Characters
Inserting spaces, null bytes, or invisible characters (e.g., TAB, CRLF) can bypass filters, break input validation, or exploit server input handling.

email=" [email protected] "  # Adding spaces at the beginning and end
[email protected]%20  # Adding a space encoded as %20
[email protected]%E2%80%8B  # Injecting a zero-width space
[email protected]%09  # Tab character
[email protected]%0A  # Newline character

#bugbounty #ratelimit
© t.iss.one/BugBounty_Diary

While hunting for vulnerabilities, I always wondered why developers can’t write even simple code safely. Why don’t they follow best practices before coding? Why are they still not sanitizing user inputs properly? Why, why, why…

But when I started writing a full-stack blog for myself called !safe-blog, I realized secure coding is not as easy as I thought. It’s actually very challenging even for a bug bounty hunter. The hunter becomes the hunted!

Sometimes, as a developer, you do everything right: you follow all the security checklists and best practices. But bugs still appear. Maybe from weird interactions between parts of the code, or from one small moment of “I’ll just test this quickly and forget to undo it later.” One tired evening is enough. So yes, you can never be 100% sure your code is completely safe.

Respect to all devs who make mistakes and give us bugs 💀🥃

I just published my first write-up on my blog:

From "Log in with OAuth" to "Your Account Is Mine" – Desktop App Edition

This article is based on a recent OAuth vulnerability I discovered. I have requested permission to disclose the full report, but it hasn’t been approved yet. Once I get the green light, I will attach my proof of concept (PoC) and the full report.

I hope you enjoy it! ❤️‍🔥🙌

✎ Hacking Modern Web Applications - Client-Side Path Traversal (CSPT)

First of all, I highly recommend that you read this PDF if you don't know what CSPT is. To understand this vulnerability, just set up the CSPT Playground lab, which I have put in the Labs section.

Publications (blog posts, advisories, …)
• Cloudflare Image Proxy as a CSPT Gadget
• Bypassing WAFs to Exploit CSPT
• CSPT & File Upload Bypasses
• CSPT Reports & Techniques
• Automating CSPT Discovery
• Saving CSRF with CSPT
• The Power of CSPT
• Fetch Diversion
• CSTP Attacks
• CSPT → Open Redirect → XSS
• CSPT → JSONP → XSS
• CSPT → JSONP → XSS
• CSPT → XSS
• CSTP → ATO

Videos
• Navigating The Landscape Of Client-Side Request Hijacking On The Web
• CSPT vulnerability class explained
• CSPT → Exploit Cache Deseption

Labs
• CSPT Playground

#bugbounty #ratelimit #CSPT
© t.iss.one/BugBounty_Diary

✎ CVE-2025-55182 (RSC RCE) Critical Security Vulnerability in React Server Components

The vulnerability is present in versions 19.0, 19.1.0, 19.1.1, and 19.2.0 of:
• react-server-dom-webpack
• react-server-dom-parcel
• react-server-dom-turbopack

Useful Blogs
• slcyber.io
• react.dev
• amazon.com

Most reliable public detections (at this time):
• Nuclei Template
• react2shell-scanner
• Burp Extension: Active Scan++

POC
• CVE-2025-55182 - React Server Components RCE
• CVE-2025-55182 that works on Next.js 16.0.6
• CVE-2025-55182 RCE

#bugbounty #CVE #POC
© t.iss.one/BugBounty_Diary

✎ The Anatomy of Source Maps and Reconstructing Original Source Code

A source map is a .map file that links transformed code back to the original source, allowing browsers to display the original code in debuggers. For bug hunters, this is valuable because it makes reading code easier, reveals developer comments and ... .

Browsers use source maps to reconstruct original code automatically. Similarly, you can use tools like Sourcemapper to retrieve a website’s original source if the .map files are publicly accessible.

sourcemapper -output dhubsrc -url https://target.com/js/client.356c1491.js.map

 
References
• Introduction to JavaScript Source Maps
• Source maps: languages, tools
• Extracting JavaScript from Sourcemaps

#bugbounty #sourcemap #javascript
© t.iss.one/BugBounty_Diary

They patched it, I hacked it, and got rewarded again!🔥
I can't wait to write my new writeup explaining how I hacked the patched version of this bug. It will be a valuable case study.
But before I do, please read this amazing article by Adam Pritchard as a prerequisite for my writeup.

✎ Enumerating WordPress REST API Endpoints

If you're scanning a WordPress site, don’t miss exposed REST API endpoints under /wp-json. Many plugins, such as payment gateways, expose Webhooks or callback URLs (e.g., for updating WooCommerce orders). Scanning these public endpoints may expose sensitive data like PII or order details, particularly when plugins (often custom ones) lack proper authentication.

To make this easier, I’ve created a simple function that enumerates all exposed REST API endpoints. Just add the following Bash function to your ~/.zshrc or ~/.bashrc file:

function wpjson(){
    curl -s $1 -H "User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.0.0 Safari/537.36"\
    | jq -r '.routes | keys[]'
}

Usage

wpjson https://target.com/wp-json

#bugbounty #wordpress #wpjson
© t.iss.one/BugBounty_Diary

I shared this because I recently found a custom plugin endpoint in WordPress that leaked PII. I was inspired by this tweet. No matter whether you find endpoints with this script or simply add /wp-json to the end of the URL, the important thing is the methodology behind it.

✎ Extract URL Paths or Routes via Dev Tools

[...new Set([...document.querySelectorAll("a[href]")].map(a => new URL(a.href, location.href).pathname))]
.forEach(path => console.log(path));

• Save and download a .txt file with all those paths:

(() => {
    const paths = [...new Set([...document.querySelectorAll("a[href]")].map(a => new URL(a.href, location.href).pathname))];
    
    const blob = new Blob([paths.join("\n")], { type: "text/plain" });
    const a = document.createElement("a");
    a.href = URL.createObjectURL(blob);
    
    const domain = location.hostname.replace(/^www\./, ""); 
    a.download = `${domain}.txt`;
    
    document.body.appendChild(a);
    a.click();
    document.body.removeChild(a);
})();

#bugbounty #devtool #javascript
© t.iss.one/BugBounty_Diary

✎ Deobfuscate obfuscator.io, unminify, transpile, and unpack webpack/browserify, using webcrack to resemble the original source code as much as possible.

Command Line Interface

npm install -g webcrack

Examples

webcrack input.js
webcrack input.js > output.js
webcrack bundle.js -o output-dir

• Repository: Github
• Website: webcrack.netlify.app

#bugbounty #recon #javascript #deobfuscate
© t.iss.one/BugBounty_Diary

✎Grep tips for Javascript Analysis

• Extracting JavaScript Files from recursive Directories

find /path/to/your/folders -name "*.js" -exec mv {} /path/to/target/folder/ \;

• Searching for API Keys and Secrets

cat * | grep -rE "apikey|api_key|secret|token|password|auth|key|pass|user"

• Detecting Dangerous Function Calls

cat * | grep -rE "eval|document\.write|innerHTML|setTimeout|setInterval|Function"

• Checking for URL Manipulation

cat * | grep -rE "location\.href|location\.replace|location\.assign|window\.open"

• Searching for Cross-Origin Requests

cat * | grep -rE "XMLHttpRequest|fetch|Access-Control-Allow-Origin|withCredentials" /path/to/js/files

• Analyzing postMessage Usage

cat * | grep -r "postMessage"

• Finding Hardcoded URLs or Endpoints

cat * | grep -rE "https?://|www\."

• Locating Debugging Information

cat * | grep -rE "console\.log|debugger|alert|console\.dir"

• Investigating User Input Handling

cat * | grep -rE "document\.getElementById|document\.getElementsByClassName|document\.querySelector|document\.forms"

#bugbounty #recon #javascript
© t.iss.one/BugBounty_Diary

Just wanted to inform you that Writeup-Miner is now live on @Daily_Writeups.

Join if you want the latest Bug Bounty and Cybersecurity write-ups. 

Thank you all ♥️🙌

✎ Cloud Security One Liners

• AWS S3 Bucket Finder

cat urls.txt | grep -oE "[a-zA-Z0-9.-]+\.s3\.amazonaws\.com" | anew s3_buckets.txt
cat urls.txt | grep -oE "s3://[a-zA-Z0-9.-]+" | anew s3_buckets.txt

• S3 Permission Check

cat s3_buckets.txt | xargs -I@ sh -c 'aws s3 ls s3://@ --no-sign-request 2>/dev/null && echo "OPEN: @"'

• Firebase Database

cat urls.txt | grep -oE "[a-zA-Z0-9-]+\.firebaseio\.com" | xargs -I@ curl -s @/.json | grep -v "null"

• Azure Blob Storage

cat urls.txt | grep -oE "[a-zA-Z0-9-]+\.blob\.core\.windows\.net" | anew azure_blobs.txt

• GCP Storage

cat urls.txt | grep -oE "storage\.googleapis\.com/[a-zA-Z0-9-]+" | anew gcp_buckets.txt

• AWS Metadata SSRF

cat urls.txt | gf ssrf | qsreplace "https://169.254.169.254/latest/meta-data/iam/security-credentials/" | httpx -silent -ms "AccessKeyId"

• Cloud Credential Files

cat alive.txt | httpx -silent -path /.aws/credentials,/.docker/config.json,/kubeconfig -mc 200 | anew cloud_creds.txt

#bugbounty #recon #cloud
© t.iss.one/BugBounty_Diary

Hey dear subscribers,

This channel has been inactive for one week because Iran's government shut down the entire internet, preventing us from accessing free internet as usual. I was very worried about my open reports and this channel. Starting today, I am working hard and focusing on posting more content.

Thank you all,
🕷 Spix0r