Why isn't this channel as active as others? It's because I prefer not to repost content from other channels or Twitter accounts. Instead, I aim to create original content based on my own knowledge. Therefore, I've decided to revisit Network+, studying it chapter by chapter and summarizing my learnings on Notion for our next post.♥️

✎ Django RCE Exploit Tool

I’ve built a Python tool that exploits the #Django PickleSerializer vulnerability, enabling Remote Code Execution (#RCE) through session cookies.

1. Clone the repository:

git clone https://github.com/Spix0r/django-rce-exploit.git
cd django-rce-exploit

2. Prepare your settings.json file with the following format:

{
    "settings": [
        {
            "SECRET_KEY": "your_secret_key",
            "Sites_COOKIE": "your_cookie_value"
        }
    ]
}

3. Run the exploit:

python3 exploit.py

• Repository: Github

#bugbounty #tools #Pickle #PickleSerializer
© t.iss.one/BugBounty_Diary

✎ Bypass 403 Forbidden with HTTP Headers Fuzzing

I’ve analyzed numerous tools, blogs, tweets, and other resources on bypassing #403 #Forbidden errors using HTTP Headers #Fuzzing techniques. After extensive research, I’ve compiled a list of headers you can fuzz to potentially #bypass 403 restrictions.

• HTTP Headers List: GitHub

#bugbounty #403bypass #HTTP
© t.iss.one/BugBounty_Diary

✎ Robofinder

I've developed a Python script that allows you to search for and retrieve historical robots.txt files for any given website using Archive.org. This tool is particularly useful for security researchers and web archivists to discover previously accessible paths or directories that were once listed in a site's robots.txt.

1. Clone the repository and install the required dependencies:

git clone https://github.com/Spix0r/robofinder.git
cd robofinder
pip install -r requirements.txt

2. Run the program by providing a URL with the -u flag:

python3 robofinder.py -u https://example.com

👀 Discover additional commands and options on GitHub page (don’t forget to give it a star ⭐️)👇

• Repository: Github

#bugbounty #recon #tools #crawl
© t.iss.one/BugBounty_Diary

✎ Writeup-Miner: Stay Updated with Medium Feeds & Real-Time Alerts for Security Enthusiasts and Tech Researchers!

Writeup-Miner is a Python script that fetches new articles from Medium RSS feeds and stores them in MongoDB or a simple .txt file. Plus, it sends you instant notifications through Telegram or Discord!

• Key Features:

• Scrape Medium posts via RSS feeds
• Store data in MongoDB or .txt format
• Set custom filters to refine content
• Get a real-time notifications via Telegram or Discord

👀 Read the full guide on GitHub (⭐️ Don't forget to star the repo!)

#bugbounty #rss #feedparser #tools
© t.iss.one/BugBounty_Diary

✎ I've created a repository called Nuclei Community Templates

It's a collaborative hub for the best Nuclei templates shared by the security research community. Whether you're a bug bounty hunter, pentester, or cybersecurity enthusiast, you can contribute your Nuclei template repositories or find powerful templates for CVE scans, fuzzing, and more!

Contribute via PRs and help build the largest Nuclei template library. Together, we’re leveling up vulnerability detection and reconnaissance!

👀 Check it out on Github

#bugbounty #Nuclei #tools
© t.iss.one/BugBounty_Diary

✎ Hello World!

It's been a while since my last update, but I'm excited to share some great news.
I've completely rewritten FBack, moving from Python to JavaScript. Since this project hasn't been introduced here yet, let me guide you through the methodology behind it.

• Methodology
You know those static websites, especially WordPress sites, where you encounter paths like:

https://example.com/files/config.php

But you don't have access to config.php, so now what? What should you test here?
This is where FBack comes in!
Use FBack to generate target-specific wordlists and fuzz for possible backup files:

• Installation

npm install @spix0r/fback -g

• Usage

echo "https://example.com/files/config.php" | fback -y 2020-2024 -m 1-12

Example output:

config.php.bak
config_backup.php
config_2024.php
files_config.php
example_config_backup.php

Then Fuzz for backup files - maybe you'll find a juicy accessible backup file!

• Repository: Github

#bugbounty #recon #tools
© t.iss.one/BugBounty_Diary

The @Hide_Club channel was banned by Telegram, and honestly, I don’t know why. I worked hard to grow Hide Club, so this has been really tough. Maybe it’s time to start fresh from here. For now, please stay alert and join me at @Spider_Crew.

Losing everything has shaken my motivation, and I’m thinking about sharing my daily reads on my X account. But please give me some time I’m still figuring out the best way forward. Thanks so much to everyone who’s asked about the channel ❤️

I think it's time to move on from Hide Club. I will post here my daily reads and interesting cases from my bug hunting. Good luck, and please support me so we can grow together❤️

✎ The perils of the “real” client IP & X-Forwarded-For Header

You've probably seen headers like these in common 403-bypass wordlists (e.g., my gist):

X-Forwarded-For: 127.0.0.1
X-Forwarded-Host: 127.0.0.1
X-Client-IP: 127.0.0.1

…and hundreds of similar variations (with 127.0.0.1, localhost, 192.168.1.1, internal IPs, etc.), but have you ever stopped to wonder why they sometimes actually work to bypass IP-based restrictions, rate limits, or 403/401 responses?

The answer lies in how unreliable and inconsistent the handling of "real client IP" headers is when a web application sits behind a reverse proxy (whether that’s a CDN like Cloudflare, an AWS ALB, a simple Nginx instance, etc.). It’s quite challenging for developers, because there’s no universal, standardized way for proxies to convey the original visitor’s IP to the backend and even less consensus on how the backend should parse and trust that information.

As a result, developers often rely on headers like X-Forwarded-For, X-Real-IP, or True-Client-IP to detect a visitor’s “real” IP address. But many frameworks use fragile logic especially the common pattern of trusting the left-most value in X-Forwarded-For. This is dangerous because the left-most entry is fully controlled by the client.

Cloudflare, AWS ALB, and many other proxies append the real IP to the header instead of overwriting it. So an attacker can send:

X-Forwarded-For: 127.0.0.1

and it becomes:

127.0.0.1, <real attacker IP>

Many libraries (like go-chi/httprate in Go) will mistakenly trust that spoofed first value. The app then believes the user is localhost or a trusted internal IP and may skip rate limits, authentication checks, or internal-only protections entirely.

This is not rare! dozens of frameworks and servers (Express, Jetty, IIS, Go libs, etc.) use inconsistent or insecure parsing strategies. The root problem: trusting client-controlled forwarding headers without restricting which proxies are allowed to set them.

• I summarized the blog, but I highly recommend reading the full article here: Article

#bugbounty #recon #HTTP #bypass
© t.iss.one/BugBounty_Diary