🔐Secrets no one will share with you - Here's a technique that might grant you access to takeover other users' accounts using "Login with Facebook": Are you working on a target site that supports "Login with Facebook"? Disable email sharing during Facebook login and be ready

💰Bug Bounty Tips: Scored a $5,000 bounty via APIs exposed on a Swagger endpoint! 💻 Discovered a Swagger UI showing API endpoints—all endpoints required auth. Instead of stopping there, I tried something different: using an Authorization token and cookies from a different

🔒Bug Bounty Tips - Here's how I earned a $6000 Bounty by escalating a simple Elmah File Disclosure Issue 🔒 💡 If you haven't already, add /elmah and /elmah.axd to your wordlist! These paths often lead to Elmah file disclosures, a finding many researchers report as Low/Medium

🚨 Yay, we were rewarded with $20,000 on our HackerOne submission for a SSRF bug discovered in collaboration with Shlomie Liberow! 💰🎉 🥳 We uncovered a Critical SSRF vulnerability, turning it into unauthorized access to internal admin endpoints, leading to PII leaks and

Found a pretty cool feature on Netlas.io called the "Attack Surface Discovery Tool" to quickly map the external attack surface for large-scope targets. This helped me find some quick wins during a recent bug bounty engagement. What’s awesome? It provides a complete overview of

Bug Bounty Tips💰: Easy $2000 bounty via enabled "PUT" method! Here’s the nuclei template I used to identify this vulnerability: 🔗 github.com/projectdiscove… The key question: If it’s a public nuclei template, why wasn’t it flagged as a duplicate, and how come no one else found

Great initiative by celesian! Don’t forget to include the tool below in your list for discovering subdomains for your bug bounty targets. It’s always great to have multiple data sources :)

very pleased to announce the release of my new article based on my research that led to CVE-2024-46982 titled: Next.js, cache, and chains: the stale elixir zhero-web-sec.github.io/research-and-t… note: does not cover the latest findings shared in my recent posts enjoy reading;

💥 Simple HTTP Parameter Pollution escalated to PII Leak → 4-Digit Bounty! ✅ {"proxyPayload":"Limit=20&userID=<attacker_ID>"} → 200 OK ❌ {"proxyPayload":"Limit=20&userID=<victim_ID>"} → "errorMessage":"Forbidden Access" ✅

🚀 Unspoken Bug Bounty Rules – From many years of failures & experience! 🕵️‍♂️ Got a similar bug across multiple assets but fear the program might count them as one for payout despite requiring multiple fixes? ✅ Report one at a time. Wait for a bounty. Then submit the next one.

Bug Bounty Tip: Keeping It simple & consistent Over time, I’ve realized that overly complicated automation in bug bounty isn’t as exciting or rewarding—at least not for me. Instead of trying to automate everything under the sun, I’ve found that focused, consistent recon on core

Here's a technique I use to maximize results and avoid VPS abuse reports while testing for automated XSS or similar vulnerabilities. Malicious payloads are often blocked outright by WAF providers like Akamai, Cloudflare, etc., meaning you won’t even get a chance to work on a WAF

I've often hesitated to participate in public bug bounty programs, mistakenly believing that if a program is public, it's likely already been thoroughly tested and is bug-free. However, I've been proven wrong. Over the past 2 years, I've learned valuable lessons that have

It's wild how a $50 bounty a few years ago felt more exciting than a $10,000 bounty in 2025. I can't be the only one feeling that way... right? 🤔🤔

Found an interesting bug a while back and thought I’d share it here 👇 I came across an unused API endpoint inside a JavaScript file - `/api/users/<user_id>/activities/`. It wasn’t being called anywhere within the app, so naturally, I tried to hit it manually using my JWT from

Here’s how I discovered a critical issue on a wide-scope program using @netlas_io 👇 The target had a pretty generic login flow via a 3rd-party service with specific keywords. It was pretty much using the same codebase reused across multiple assets. I used