If I'm doing deep research/recon it seems like 20 hours is the magic number where "this target is impossible" changes to "this target kind of makes sense" and then I start finding vulnerabilities. Don't give up and don't shy away from things that look hard on the surface!

My "Bug Bounty Wrapped" for 2023 would have SQL Injection as the #2 artist, only 5 reports behind RXSS 😅

I haven't played CTF for a while cause I am busy with other stuff like new job and moving to a new place(I am in Tokyo now!). But I still see some interesting challenges on twitter from time to time and really want to take a note, so here is it blog.huli.tw/2023/12/03/en/…

Encountered another Java RCE yesterday requiring a reflection-based payload to bypass WAF and server-side filtering. In both .NET and JVM-based languages, learn how to build one-liners with reflection, guaranteed it will pay off when you encounter a tough WAF.

While exploiting SQL injection issues, knowing the capabilities of the target DBMS is key which is what I'm always saying. I will try to explain how to find tables with valid data on IBM DB2 targets .#bugbountytip 1/n

During bug hunting, what error message gives you an adrenaline rush? Mine is "you have an error in your SQL syntax" 🔥

Super interesting article about a novel attack vector using modern web standards. Must read!

Finding "MM_swapImage" in the source of a site is usually a good sign 😅👀

Starting my next full-time job tomorrow. It's been a great almost 1.75 year run in full-time BB. Thanks to everyone who hit me up for collabs, supported me, and the amazing friends around the world I've met. This community is full of great people and kindness. Y'all are awesome!

The damage of VDP programs and their Incentivization is far greater than giving some hunters "points" for farming none-bugs that they can later boast on their CV's, I believe it might actually ruin Bug Bounty platforms in the near future, Let's explore the facts 📜 So VDP's, as