✅To detect Credit & Debit Card Number Leakage use this Nuclei Template - https://github.com/projectdiscovery/nuclei-templates/blob/main/http/miscellaneous/credit-card-number-detect.yaml

Hey Hunter's,
DarkShadow here back again, just dropping a unique method to bypass waf for XSS 🔥

Waf Blocked ❌
javascript:alert()

Waf welcome ✅
javascript:new Functiondocument.body.style.background="red"

✔️ If waf Blocked additional functions then try to change the background color💥

#bugbountytips #xss

Shodan.io $5 Lifetime Membership sale is live for the next 24 hours: account.shodan.io/billing/member

Go Grab it Now ✨

Hunter's, DarkShadow here!

One liner for finding files

subfinder -d domain.com -silent | \
while read host; do \
 for path in /config.js /config.json /app/config.js /settings.json /database.json /firebase.json /.env /.env.production /api_keys.json /credentials.json /secrets.json /google-services.json /package.json /package-lock.json /composer.json /pom.xml /docker-compose.yml /manifest.json /service-worker.js; do \
  echo "$host$path"; \
 done; \
done | httpx -mc 200

#bugbountytips

Hunter's, the vulnerability was SSRF loading AWS cloud access.

and effects:

IITE – Institute of Information Technology & Education: Access to confidential student information, assessment data, and internal records.

MUHS – Maharashtra University of Health Sciences: Exposure of examination content, student records, and academic documents.

GSEB – Gujarat Secondary & Higher Secondary Education Board: Exposure of sensitive student records, exam papers, hall tickets, and related educational data.

RGUHS – Rajiv Gandhi University of Health Sciences: Access to examination papers, student records, and other confidential academic information.

i have a video POC wanna see how i was able exploit this bug!?

And don't forget to follow me 👉🏼 x.com/darkshadow2bd


#ssrf

Bug Bounty Tips - Asset Discovery

1. Expand Your Scope: Hunt Beyond the Obvious

Check if the target has acquired any other brands or services. Tools like Crunchbase, Google, or even Wikipedia can reveal mergers or new wings that broaden your attack surface. Don’t just assume static assets—verify recent acquisitions are still valid.

2. Map the Network with ASN Enumeration

Find the Autonomous System numbers tied to an organization—they reveal IP ranges and network structure. Start manually with Hurricane Electric’s BGP Toolkit or regional registries like APNIC, ARIN, RIPE, etc. Then use OWASP Amass’s intel module to automate discovery of domains related to those ASNs or the organization itself:

amass intel -org <org-name>
amass intel -asn <asn>


3. Dig with Reverse WHOIS

Reverse WHOIS tools let you find other domains owned by the same entity using organization trademarks or contact info. Try services like Whoxy, ReverseWhois.io, DomainEye, or domainIQ. For automation, use DomLink or Whoxy API scripts to recursively map domains.

4. Track Shared IDs & Marketing Tags

Companies often sprinkle identical tracking codes across platforms—think Google Analytics or AdSense. Tools like BuiltWith, PublicWWW, or SpyOnWeb can help you trace those tags to uncover linked apps or unpublished properties.

5. Go Old-School with Google Dorking

Sometimes the simplest queries yield gems. Scan for snippets of copyright texts, legal boilerplates, or policy language spread across subdomains. Example:

"© 2025 YourCompanyName" -site:*.example.com inurl:privacy

You can adapt this with operators for Bing or DuckDuckGo, too.

6. Hunt Devices with Shodan

Shodan isn’t just for IoT—it’ll show you all internet-exposed assets related to the target’s org or domain. Try filters like:

org:<organization-name>
hostname:<domain>

You might find forgotten services, management dashboards, or exposed endpoints that go under the radar.