I earned $xxx for my submission on @bugcrowd bugcrowd.com/walidhossain #ItTakesACrowd /partner/ -403 /partner/dynamic/ - 403 /partner/dynamic/trace.axd - 200 - P1 - Full read trace.axd live log access lead to leakage of many users PII

This email domain confusion technique from Gareth Heyes \u2028 is so cool! Some really weird behavior can be found between different mail agents and the right characters/symbols 🤔

A lot of people lead with "forget previous instructions" in Prompt Injection. TBH that's more of a jailbreak tactic. More often in the real world "Additional Instruction:" works better. 🫶🤟

Palestinian children blown from their house onto rooftop of another house after Israeli warplanes bombed a residential building in #Gaza city.

It's end of the month and here is a new writing about changing a useless sanitized HTML injection to stored XSS and account takeover by looking through JS files and image upload. medium.com/@renwa/html-in…

always prove the impact you believe. explain it to them with the max impact possible. P3 to P2 #bugbountytips

Today I used a technique that’s probably not widely known in the community. In what cases could code like this lead to a vulnerability? ->

just wrote a blog post based on this technique and described the methodology to take advantage of it, the post also includes an easy-to-set-up testbed to practice with, hope you find it useful blog.voorivex.team/leaking-oauth-…

Hidden or disabled fields are commonly overlooked, but they can still open the door to some cool bugs. Try creating a bookmarklet to instantly reveal these fields. Here are some quick examples you can copy and paste: 🔖 Enable all disabled or readonly fields:

❝Four things ruin the body: Worry, grief, hunger and sleeplessness. And four things bring joy: Looking at greenery, running water, a beloved person and fruits.❞ ~ Ibn Qayyim رحمه الله in Zad al-Ma'ād

I love bug bounty data like this. So insightful, especially from rising star in the community like Evan Connelly evanconnelly.com/post/my-first-…

How did we (AmirMohammad Safari) earn $50k using the Punycode technique? I’ve published a detailed blog post about our recent talk, we included 3 attack scenarios, one of which poses a high risk of account takeover on any "Login with GitLab" implementation blog.voorivex.team/puny-code-0-cl…

On the day of Arafah, ask big, ask for Jannah, for healing, for the impossible. Your biggest dreams are nothing before "Kun Faya kun". Be delusional in your duas because nothing is too big for Allah.

wow. Wth. HackerOne must explain. To community

Slides of the talk in #PHDays PT Security docs.google.com/presentation/d… hoping be very helpful for all of you ♥ #bugbounty #bugbountytips #bugbountytip If you didn't check the video of the talk , then its time ===>

bugcrowd.com/disclosures/d5… Super-nice technique! Something refreshing to see in the AI-everything era :)