Why isn't this channel as active as others? It's because I prefer not to repost content from other channels or Twitter accounts. Instead, I aim to create original content based on my own knowledge. Therefore, I've decided to revisit Network+, studying it chapter by chapter and summarizing my learnings on Notion for our next post.♥️

✎ Django RCE Exploit Tool

I’ve built a Python tool that exploits the #Django PickleSerializer vulnerability, enabling Remote Code Execution (#RCE) through session cookies.

1. Clone the repository:

git clone https://github.com/Spix0r/django-rce-exploit.git
cd django-rce-exploit

2. Prepare your settings.json file with the following format:

{
    "settings": [
        {
            "SECRET_KEY": "your_secret_key",
            "Sites_COOKIE": "your_cookie_value"
        }
    ]
}

3. Run the exploit:

python3 exploit.py

• Repository: Github

#bugbounty #tools #Pickle #PickleSerializer
© t.iss.one/BugBounty_Diary

✎ Bypass 403 Forbidden with HTTP Headers Fuzzing

I’ve analyzed numerous tools, blogs, tweets, and other resources on bypassing #403 #Forbidden errors using HTTP Headers #Fuzzing techniques. After extensive research, I’ve compiled a list of headers you can fuzz to potentially #bypass 403 restrictions.

• HTTP Headers List: GitHub

#bugbounty #403bypass #HTTP
© t.iss.one/BugBounty_Diary

✎ Robofinder

I've developed a Python script that allows you to search for and retrieve historical robots.txt files for any given website using Archive.org. This tool is particularly useful for security researchers and web archivists to discover previously accessible paths or directories that were once listed in a site's robots.txt.

1. Clone the repository and install the required dependencies:

git clone https://github.com/Spix0r/robofinder.git
cd robofinder
pip install -r requirements.txt

2. Run the program by providing a URL with the -u flag:

python3 robofinder.py -u https://example.com

👀 Discover additional commands and options on GitHub page (don’t forget to give it a star ⭐️)👇

• Repository: Github

#bugbounty #recon #tools #crawl
© t.iss.one/BugBounty_Diary

✎ Writeup-Miner: Stay Updated with Medium Feeds & Real-Time Alerts for Security Enthusiasts and Tech Researchers!

Writeup-Miner is a Python script that fetches new articles from Medium RSS feeds and stores them in MongoDB or a simple .txt file. Plus, it sends you instant notifications through Telegram or Discord!

• Key Features:

• Scrape Medium posts via RSS feeds
• Store data in MongoDB or .txt format
• Set custom filters to refine content
• Get a real-time notifications via Telegram or Discord

👀 Read the full guide on GitHub (⭐️ Don't forget to star the repo!)

#bugbounty #rss #feedparser #tools
© t.iss.one/BugBounty_Diary

✎ I've created a repository called Nuclei Community Templates

It's a collaborative hub for the best Nuclei templates shared by the security research community. Whether you're a bug bounty hunter, pentester, or cybersecurity enthusiast, you can contribute your Nuclei template repositories or find powerful templates for CVE scans, fuzzing, and more!

Contribute via PRs and help build the largest Nuclei template library. Together, we’re leveling up vulnerability detection and reconnaissance!

👀 Check it out on Github

#bugbounty #Nuclei #tools
© t.iss.one/BugBounty_Diary

✎ Hello World!

It's been a while since my last update, but I'm excited to share some great news.
I've completely rewritten FBack, moving from Python to JavaScript. Since this project hasn't been introduced here yet, let me guide you through the methodology behind it.

• Methodology
You know those static websites, especially WordPress sites, where you encounter paths like:

https://example.com/files/config.php

But you don't have access to config.php, so now what? What should you test here?
This is where FBack comes in!
Use FBack to generate target-specific wordlists and fuzz for possible backup files:

• Installation

npm install @spix0r/fback -g

• Usage

echo "https://example.com/files/config.php" | fback -y 2020-2024 -m 1-12

Example output:

config.php.bak
config_backup.php
config_2024.php
files_config.php
example_config_backup.php

Then Fuzz for backup files - maybe you'll find a juicy accessible backup file!

• Repository: Github

#bugbounty #recon #tools
© t.iss.one/BugBounty_Diary

The @Hide_Club channel was banned by Telegram, and honestly, I don’t know why. I worked hard to grow Hide Club, so this has been really tough. Maybe it’s time to start fresh from here. For now, please stay alert and join me at @Spider_Crew.

Losing everything has shaken my motivation, and I’m thinking about sharing my daily reads on my X account. But please give me some time I’m still figuring out the best way forward. Thanks so much to everyone who’s asked about the channel ❤️

I think it's time to move on from Hide Club. I will post here my daily reads and interesting cases from my bug hunting. Good luck, and please support me so we can grow together❤️

✎ The perils of the “real” client IP & X-Forwarded-For Header

You've probably seen headers like these in common 403-bypass wordlists (e.g., my gist):

X-Forwarded-For: 127.0.0.1
X-Forwarded-Host: 127.0.0.1
X-Client-IP: 127.0.0.1

…and hundreds of similar variations (with 127.0.0.1, localhost, 192.168.1.1, internal IPs, etc.), but have you ever stopped to wonder why they sometimes actually work to bypass IP-based restrictions, rate limits, or 403/401 responses?

The answer lies in how unreliable and inconsistent the handling of "real client IP" headers is when a web application sits behind a reverse proxy (whether that’s a CDN like Cloudflare, an AWS ALB, a simple Nginx instance, etc.). It’s quite challenging for developers, because there’s no universal, standardized way for proxies to convey the original visitor’s IP to the backend and even less consensus on how the backend should parse and trust that information.

As a result, developers often rely on headers like X-Forwarded-For, X-Real-IP, or True-Client-IP to detect a visitor’s “real” IP address. But many frameworks use fragile logic especially the common pattern of trusting the left-most value in X-Forwarded-For. This is dangerous because the left-most entry is fully controlled by the client.

Cloudflare, AWS ALB, and many other proxies append the real IP to the header instead of overwriting it. So an attacker can send:

X-Forwarded-For: 127.0.0.1

and it becomes:

127.0.0.1, <real attacker IP>

Many libraries (like go-chi/httprate in Go) will mistakenly trust that spoofed first value. The app then believes the user is localhost or a trusted internal IP and may skip rate limits, authentication checks, or internal-only protections entirely.

This is not rare! dozens of frameworks and servers (Express, Jetty, IIS, Go libs, etc.) use inconsistent or insecure parsing strategies. The root problem: trusting client-controlled forwarding headers without restricting which proxies are allowed to set them.

• I summarized the blog, but I highly recommend reading the full article here: Article

#bugbounty #recon #HTTP #bypass
© t.iss.one/BugBounty_Diary

✎ rep+ - a lightweight HTTP Repeater inside Chrome DevTools

Finally, someone created a clean, native way to send requests without leaving the debugging context or having to install certificates and set up proxies. It even has built-in AI for explanations and attack ideas!

• Repository: Github

#bugbounty #recon #HTTP
© t.iss.one/BugBounty_Diary

✎ Useful Browser Extensions for Bug Bounty Hunters (New Update) - I categorized them by browser compatibility, but some of them are available on both.

• Firefox

➤ Link Gopher
➤ Adblock Plus
➤ FoxyProxy Standard
➤ Video Speed Controller
➤ Check XSS
➤ HackTools
➤ Bulk URL Opener
➤ Temp Mail
➤ JS Beautify CSS HTML
➤ Multi-Account Containers

• Chrome

➤ TruffleHog
➤ Code Formatter
➤ Freedium Extension
➤ BuiltWith
➤ Wappalyzer
➤ WhatRuns
➤ Retire.js
➤ Cookie Extractor
➤ Wayback Machine
➤ EXIF Data Viwer
➤ Shodan
➤ S3 Bucket List
➤ Ublock Origin
➤ Resources Saver
➤ Dot Git
➤ EndPointer
➤ FindSomething
➤ Gecko
➤ rep+

#bugbounty #Extension #Browser
© t.iss.one/BugBounty_Diary

Just received a $4,000 bounty for multiple one-click account takeovers.

The scenarios were really interesting and educational, especially the OAuth bugs I discovered in a very popular company.

A full write-up will be published next week on my Hashnode. Stay tuned♥️

Follow me on Hashnode:
https://hashnode.com/@mirzadzare

✎ Common Rate Limit Bypass Techniques

IP Spoofing
Altering a request’s source IP to appear from another device, and rotating IPs lets an attacker bypass per-IP limits. You can use the following Burp Extensions for IP Spoofing:

• BurpFakeIP: GitHub
• IP-Rotate: GitHub

Changing User-Agent
Rate-limit systems often track the User-Agent header; changing or randomizing it makes requests appear from different clients, and attackers may brute-force the User-Agent field (e.g., with tools like Burp Suite Intruder).

Header Manipulation
Header manipulation alters HTTP headers (e.g., X-Forwarded-For, X-Real-IP) to trick servers — bypassing IP restrictions, evading rate limits, or hiding the real IP from logs and filters.

• Common Headers by 🕷Spix0r

Requesting with Different HTTP Methods
Some rate-limiters monitor only certain HTTP methods (e.g., GET/POST); attackers may bypass them by sending requests with other methods (PUT, DELETE, OPTIONS) and testing alternatives (e.g., with Burp Suite Repeater).

• HTTP request methods

Parameter Name Variation
Some backends accept alternate parameter names and still process requests, enabling attackers to bypass input filters, WAFs, or login restrictions.

username=admin&password=1234
user=admin&pass=1234
uname=admin&pwd=1234
login=admin&passwd=1234
u=admin&p=1234
email=admin&key=1234
id=admin&token=1234

Encoding Tricks
Encoding represents characters in different formats; attackers use encoding to obfuscate payloads and bypass input filters, WAFs, or validation rules.

user=admin%20        # space after admin
user=admin%00        # null byte injection
user=%61%64%6d%69%6e # 'admin' in hex
user=ad%6Din  # only 'm' is encoded
user=%2561%2564%256d%2569%256e  # double-encoded 'admin'

Case Sensitivity and Font Tricks
Case or character-variant changes in strings (emails, usernames, paths) can let attackers bypass security checks or exploit improper validation.

Email: [email protected]  # Mixed case
Email: [email protected]   # Lowercase
Email: [email protected]   # Uppercase

Using Look-Alike Characters

Email: [email protected]   # '3' instead of 'e'
Email: t@[email protected]   # Replacing 'l' with 'I' or vice versa

Blank Characters
Inserting spaces, null bytes, or invisible characters (e.g., TAB, CRLF) can bypass filters, break input validation, or exploit server input handling.

email=" [email protected] "  # Adding spaces at the beginning and end
[email protected]%20  # Adding a space encoded as %20
[email protected]%E2%80%8B  # Injecting a zero-width space
[email protected]%09  # Tab character
[email protected]%0A  # Newline character

#bugbounty #ratelimit
© t.iss.one/BugBounty_Diary

While hunting for vulnerabilities, I always wondered why developers can’t write even simple code safely. Why don’t they follow best practices before coding? Why are they still not sanitizing user inputs properly? Why, why, why…

But when I started writing a full-stack blog for myself called !safe-blog, I realized secure coding is not as easy as I thought. It’s actually very challenging even for a bug bounty hunter. The hunter becomes the hunted!

Sometimes, as a developer, you do everything right: you follow all the security checklists and best practices. But bugs still appear. Maybe from weird interactions between parts of the code, or from one small moment of “I’ll just test this quickly and forget to undo it later.” One tired evening is enough. So yes, you can never be 100% sure your code is completely safe.

Respect to all devs who make mistakes and give us bugs 💀🥃

I just published my first write-up on my blog:

From "Log in with OAuth" to "Your Account Is Mine" – Desktop App Edition

This article is based on a recent OAuth vulnerability I discovered. I have requested permission to disclose the full report, but it hasn’t been approved yet. Once I get the green light, I will attach my proof of concept (PoC) and the full report.

I hope you enjoy it! ❤️‍🔥🙌