✎ Hacking Modern Web Applications - Client-Side Path Traversal (CSPT)

First of all, I highly recommend that you read this PDF if you don't know what CSPT is. To understand this vulnerability, just set up the CSPT Playground lab, which I have put in the Labs section.

Publications (blog posts, advisories, …)
• Cloudflare Image Proxy as a CSPT Gadget
• Bypassing WAFs to Exploit CSPT
• CSPT & File Upload Bypasses
• CSPT Reports & Techniques
• Automating CSPT Discovery
• Saving CSRF with CSPT
• The Power of CSPT
• Fetch Diversion
• CSTP Attacks
• CSPT → Open Redirect → XSS
• CSPT → JSONP → XSS
• CSPT → JSONP → XSS
• CSPT → XSS
• CSTP → ATO

Videos
• Navigating The Landscape Of Client-Side Request Hijacking On The Web
• CSPT vulnerability class explained
• CSPT → Exploit Cache Deseption

Labs
• CSPT Playground

#bugbounty #ratelimit #CSPT
© t.iss.one/BugBounty_Diary

✎ CVE-2025-55182 (RSC RCE) Critical Security Vulnerability in React Server Components

The vulnerability is present in versions 19.0, 19.1.0, 19.1.1, and 19.2.0 of:
• react-server-dom-webpack
• react-server-dom-parcel
• react-server-dom-turbopack

Useful Blogs
• slcyber.io
• react.dev
• amazon.com

Most reliable public detections (at this time):
• Nuclei Template
• react2shell-scanner
• Burp Extension: Active Scan++

POC
• CVE-2025-55182 - React Server Components RCE
• CVE-2025-55182 that works on Next.js 16.0.6
• CVE-2025-55182 RCE

#bugbounty #CVE #POC
© t.iss.one/BugBounty_Diary

✎ The Anatomy of Source Maps and Reconstructing Original Source Code

A source map is a .map file that links transformed code back to the original source, allowing browsers to display the original code in debuggers. For bug hunters, this is valuable because it makes reading code easier, reveals developer comments and ... .

Browsers use source maps to reconstruct original code automatically. Similarly, you can use tools like Sourcemapper to retrieve a website’s original source if the .map files are publicly accessible.

sourcemapper -output dhubsrc -url https://target.com/js/client.356c1491.js.map

 
References
• Introduction to JavaScript Source Maps
• Source maps: languages, tools
• Extracting JavaScript from Sourcemaps

#bugbounty #sourcemap #javascript
© t.iss.one/BugBounty_Diary

They patched it, I hacked it, and got rewarded again!🔥
I can't wait to write my new writeup explaining how I hacked the patched version of this bug. It will be a valuable case study.
But before I do, please read this amazing article by Adam Pritchard as a prerequisite for my writeup.

✎ Enumerating WordPress REST API Endpoints

If you're scanning a WordPress site, don’t miss exposed REST API endpoints under /wp-json. Many plugins, such as payment gateways, expose Webhooks or callback URLs (e.g., for updating WooCommerce orders). Scanning these public endpoints may expose sensitive data like PII or order details, particularly when plugins (often custom ones) lack proper authentication.

To make this easier, I’ve created a simple function that enumerates all exposed REST API endpoints. Just add the following Bash function to your ~/.zshrc or ~/.bashrc file:

function wpjson(){
    curl -s $1 -H "User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.0.0 Safari/537.36"\
    | jq -r '.routes | keys[]'
}

Usage

wpjson https://target.com/wp-json

#bugbounty #wordpress #wpjson
© t.iss.one/BugBounty_Diary

I shared this because I recently found a custom plugin endpoint in WordPress that leaked PII. I was inspired by this tweet. No matter whether you find endpoints with this script or simply add /wp-json to the end of the URL, the important thing is the methodology behind it.

✎ Extract URL Paths or Routes via Dev Tools

[...new Set([...document.querySelectorAll("a[href]")].map(a => new URL(a.href, location.href).pathname))]
.forEach(path => console.log(path));

• Save and download a .txt file with all those paths:

(() => {
    const paths = [...new Set([...document.querySelectorAll("a[href]")].map(a => new URL(a.href, location.href).pathname))];
    
    const blob = new Blob([paths.join("\n")], { type: "text/plain" });
    const a = document.createElement("a");
    a.href = URL.createObjectURL(blob);
    
    const domain = location.hostname.replace(/^www\./, ""); 
    a.download = `${domain}.txt`;
    
    document.body.appendChild(a);
    a.click();
    document.body.removeChild(a);
})();

#bugbounty #devtool #javascript
© t.iss.one/BugBounty_Diary

✎ Deobfuscate obfuscator.io, unminify, transpile, and unpack webpack/browserify, using webcrack to resemble the original source code as much as possible.

Command Line Interface

npm install -g webcrack

Examples

webcrack input.js
webcrack input.js > output.js
webcrack bundle.js -o output-dir

• Repository: Github
• Website: webcrack.netlify.app

#bugbounty #recon #javascript #deobfuscate
© t.iss.one/BugBounty_Diary

✎Grep tips for Javascript Analysis

• Extracting JavaScript Files from recursive Directories

find /path/to/your/folders -name "*.js" -exec mv {} /path/to/target/folder/ \;

• Searching for API Keys and Secrets

cat * | grep -rE "apikey|api_key|secret|token|password|auth|key|pass|user"

• Detecting Dangerous Function Calls

cat * | grep -rE "eval|document\.write|innerHTML|setTimeout|setInterval|Function"

• Checking for URL Manipulation

cat * | grep -rE "location\.href|location\.replace|location\.assign|window\.open"

• Searching for Cross-Origin Requests

cat * | grep -rE "XMLHttpRequest|fetch|Access-Control-Allow-Origin|withCredentials" /path/to/js/files

• Analyzing postMessage Usage

cat * | grep -r "postMessage"

• Finding Hardcoded URLs or Endpoints

cat * | grep -rE "https?://|www\."

• Locating Debugging Information

cat * | grep -rE "console\.log|debugger|alert|console\.dir"

• Investigating User Input Handling

cat * | grep -rE "document\.getElementById|document\.getElementsByClassName|document\.querySelector|document\.forms"

#bugbounty #recon #javascript
© t.iss.one/BugBounty_Diary

Just wanted to inform you that Writeup-Miner is now live on @Daily_Writeups.

Join if you want the latest Bug Bounty and Cybersecurity write-ups. 

Thank you all ♥️🙌

✎ Cloud Security One Liners

• AWS S3 Bucket Finder

cat urls.txt | grep -oE "[a-zA-Z0-9.-]+\.s3\.amazonaws\.com" | anew s3_buckets.txt
cat urls.txt | grep -oE "s3://[a-zA-Z0-9.-]+" | anew s3_buckets.txt

• S3 Permission Check

cat s3_buckets.txt | xargs -I@ sh -c 'aws s3 ls s3://@ --no-sign-request 2>/dev/null && echo "OPEN: @"'

• Firebase Database

cat urls.txt | grep -oE "[a-zA-Z0-9-]+\.firebaseio\.com" | xargs -I@ curl -s @/.json | grep -v "null"

• Azure Blob Storage

cat urls.txt | grep -oE "[a-zA-Z0-9-]+\.blob\.core\.windows\.net" | anew azure_blobs.txt

• GCP Storage

cat urls.txt | grep -oE "storage\.googleapis\.com/[a-zA-Z0-9-]+" | anew gcp_buckets.txt

• AWS Metadata SSRF

cat urls.txt | gf ssrf | qsreplace "https://169.254.169.254/latest/meta-data/iam/security-credentials/" | httpx -silent -ms "AccessKeyId"

• Cloud Credential Files

cat alive.txt | httpx -silent -path /.aws/credentials,/.docker/config.json,/kubeconfig -mc 200 | anew cloud_creds.txt

#bugbounty #recon #cloud
© t.iss.one/BugBounty_Diary

Hey dear subscribers,

This channel has been inactive for one week because Iran's government shut down the entire internet, preventing us from accessing free internet as usual. I was very worried about my open reports and this channel. Starting today, I am working hard and focusing on posting more content.

Thank you all,
🕷 Spix0r

✎ Burp Extension for API Testing in JS-Rich Targets

This tool helps identify endpoints, files, internal emails, and some secrets hidden in minified JavaScript, achieving maximum efficiency while minimizing noise in the results.

• Repository: Github

#bugbounty #recon #javascript #burp
© t.iss.one/BugBounty_Diary

I can't hunt for bugs anymore with this connectivity (only one Cloudflare IP is open here, which is behind ChatGPT! currently, all the traffic from Iran goes through there :)))

Can anyone share the latest bug bounty tips or tricks in the comments?👇