Bug Bounty Reports Explained's Avatar

Bug Bounty Reports Explained

@gregxsunday.bsky.social

481 Followers  |  103 Following  |  96 Posts  |  Joined: 21.11.2024  |  1.9317

Latest posts by gregxsunday.bsky.social on Bluesky

30.06.2025 10:51 β€” πŸ‘ 0    πŸ” 0    πŸ’¬ 0    πŸ“Œ 0
Video thumbnail

GraphQL CSRF via the HEAD method #bugbounty #bugbountytips #bugbountyhunter

30.06.2025 10:51 β€” πŸ‘ 5    πŸ” 0    πŸ’¬ 1    πŸ“Œ 0
Preview
HackerOne disclosed on HackerOne: SQL injection in GraphQL endpoint... # Summary The `embedded_submission_form_uuid` parameter in the `/graphql` endpoint was vulnerable to a SQL injection. This allowed an attacker to extract information from the public and secure...
28.06.2025 10:51 β€” πŸ‘ 0    πŸ” 0    πŸ’¬ 0    πŸ“Œ 0
Video thumbnail

10/10 GraphQL SQL injection bug #bugbounty #bugbountytips #bugbountyhunter

28.06.2025 10:51 β€” πŸ‘ 2    πŸ” 0    πŸ’¬ 1    πŸ“Œ 0
Preview
GitLab disclosed on HackerOne: Insufficient Type Check on GraphQL... ### Summary As you have know, Maintainer cannot delete/archive repository. But via GraphQL, they can do as there exists an sufficient check on GraphQL...
27.06.2025 10:51 β€” πŸ‘ 0    πŸ” 0    πŸ’¬ 0    πŸ“Œ 0
Video thumbnail

Unexpected privilege escalation deletion bug #bugbounty #bugbountytips #bugbountyhunter

27.06.2025 10:51 β€” πŸ‘ 0    πŸ” 0    πŸ’¬ 1    πŸ“Œ 1
Preview
A.S. Watson Group disclosed on HackerOne: Access to internal info... This report was submitted during the Ambassador World Cup 2023 finale by the Spain team, who won the competition. The reporter @jfran_cbit got a critical bounty for this report, plus a bonus for...
26.06.2025 10:50 β€” πŸ‘ 0    πŸ” 0    πŸ’¬ 0    πŸ“Œ 0
Video thumbnail

Unauthenticated β†’ Low privileges β†’ admin #bugbounty #bugbountytips #bugbountyhunter

26.06.2025 10:50 β€” πŸ‘ 0    πŸ” 0    πŸ’¬ 1    πŸ“Œ 0
Bulletin.com email address leak - These aren't the access_tokens you're looking for Bulletin.comΒ is Facebook’s new publication service. The VoiceCreator object in GraphQL has no apparent permissions, this means I can list the subscribers of a podcast/publication by email address.query a {bulletin_browse_publications(){__typename,publications{creator{id,name,email_settings{nodes{__typename,...on VoicesEmailSettings{confirmed_email{email_address}}}}}}}} Timeline Jul 2, 2021 – Report sentJul 7, 2021 – Fixed by Facebook Facebook incorrectly penalised me for β€œexploiting” which was just me retesting the … Continue reading Bulletin.com email address leak
25.06.2025 10:47 β€” πŸ‘ 0    πŸ” 0    πŸ’¬ 0    πŸ“Œ 0
Video thumbnail

Sometimes, one field is all you need for a bug #bugbounty #bugbountytips #bugbountyhunter

25.06.2025 10:47 β€” πŸ‘ 1    πŸ” 0    πŸ’¬ 1    πŸ“Œ 0
Enjoy the videos and music that you love, upload original content and share it all with friends, family and the world on YouTube.

GraphQL isn’t just an API to deliver our payloads. Often, its implementations are what actually cause them. To see what bugs it can lead to, studied disclosed bug bounty reports. IDORs, privescs, DoS, CSRFs, SQLis - it's all there. Enjoy!

24.06.2025 11:39 β€” πŸ‘ 3    πŸ” 0    πŸ’¬ 0    πŸ“Œ 0
Post image

If your GraphQL testing stops at introspection and ID swapping, you’re missing out. SQLi, CSRF, caching bugs, race conditions, WebSocket bypasses - it’s all there. I studies 90 real reports to find what actually works.

16.06.2025 14:33 β€” πŸ‘ 2    πŸ” 0    πŸ’¬ 0    πŸ“Œ 0
Video thumbnail

Fuzzing vs broken access control bugs feat. Arthur Aires #bugbounty #bugbountytips #bugbountyhunter

16.06.2025 10:03 β€” πŸ‘ 0    πŸ” 0    πŸ’¬ 0    πŸ“Œ 0
Video thumbnail

This is why you should run bug bounty tools from a VPS feat. Arthur Aires #bugbounty #bugbountytips #bugbountyhunter

14.06.2025 11:02 β€” πŸ‘ 0    πŸ” 0    πŸ’¬ 0    πŸ“Œ 0
Video thumbnail

Managing your blind XSS payloads feat. Arthur Aires #bugbounty #bugbountytips #bugbountyhunter

13.06.2025 11:03 β€” πŸ‘ 1    πŸ” 1    πŸ’¬ 0    πŸ“Œ 0
Video thumbnail

Generating target-specific wordlists feat. Arthur Aires #bugbounty #bugbountytips #bugbountyhunter

12.06.2025 11:07 β€” πŸ‘ 0    πŸ” 0    πŸ’¬ 0    πŸ“Œ 0
Video thumbnail

Generating target-specific wordlists feat. Arthur Aires #bugbounty #bugbountytips #bugbountyhunter

12.06.2025 11:06 β€” πŸ‘ 1    πŸ” 0    πŸ’¬ 0    πŸ“Œ 0
Video thumbnail

Automation to get Hackerone program updates feat. Arthur Aires #bugbounty #bugbountytips #bugbountyhunter

11.06.2025 11:06 β€” πŸ‘ 2    πŸ” 0    πŸ’¬ 0    πŸ“Œ 0
Enjoy the videos and music that you love, upload original content and share it all with friends, family and the world on YouTube.

In today’s episode, Arthur Aires shares his bug bounty methodology which starts with heavy fuzzing and automation to find the best assets for manual exploitation and escalation. Enjoy!πŸ”₯

10.06.2025 14:35 β€” πŸ‘ 1    πŸ” 0    πŸ’¬ 0    πŸ“Œ 0
Enjoy the videos and music that you love, upload original content and share it all with friends, family and the world on YouTube.

In this video, Arthur Aires walks us through two real-world deserialization RCEs that include bypassing a class allowlist and then exfiltrating data via DNS.
Techniques you'll want in your toolbox. Enjoy!

28.05.2025 10:31 β€” πŸ‘ 3    πŸ” 0    πŸ’¬ 0    πŸ“Œ 0
Video thumbnail

An ATO that doesn’t make sense feat. Jasmin β€œJR0ch17” Landry #bugbounty #bugbountytips #bugbountyhunter

21.05.2025 09:14 β€” πŸ‘ 3    πŸ” 0    πŸ’¬ 0    πŸ“Œ 0
Video thumbnail

Manipulating referer policy when DOM Purify is used feat. Jasmin β€œJR0ch17” Landry #bugbounty #bugbountytips #bugbountyhunter

20.05.2025 09:13 β€” πŸ‘ 1    πŸ” 0    πŸ’¬ 0    πŸ“Œ 0
Video thumbnail

SQLi still exists in 2025 feat. Jasmin β€œJR0ch17” Landry #bugbounty #bugbountytips #bugbountyhunter

19.05.2025 09:11 β€” πŸ‘ 0    πŸ” 0    πŸ’¬ 0    πŸ“Œ 0
Video thumbnail

Using match and replace rules for quickly applying polyglot payloads feat. Jasmin β€œJR0ch17” Landry #bugbounty #bugbountytips #bugbountyhunter

17.05.2025 09:11 β€” πŸ‘ 1    πŸ” 1    πŸ’¬ 0    πŸ“Œ 0
Video thumbnail

Second order injections feat. Jasmin β€œJR0ch17” Landry #bugbounty #bugbountytips #bugbountyhunter

16.05.2025 09:19 β€” πŸ‘ 0    πŸ” 0    πŸ’¬ 0    πŸ“Œ 0
Enjoy the videos and music that you love, upload original content and share it all with friends, family and the world on YouTube.

In this episode, Jasmin β€œJR0ch17” Landry breaks down how he consistently lands highs and crits - from SSRFs to less common bugs like XXEs and SQLis. EnjoyπŸ”₯

14.05.2025 14:03 β€” πŸ‘ 2    πŸ” 0    πŸ’¬ 0    πŸ“Œ 0
Video thumbnail

Hunting for privilege escalations by modifying the JS feat. @renniepak.nl #bugbounty #bugbountytips #bugbountyhunter

19.03.2025 11:57 β€” πŸ‘ 1    πŸ” 0    πŸ’¬ 0    πŸ“Œ 0
Video thumbnail

$50k XSS in a web3 website feat. @renniepak.nl #bugbounty #bugbountytips #bugbountyhunter

18.03.2025 11:57 β€” πŸ‘ 3    πŸ” 0    πŸ’¬ 0    πŸ“Œ 0
Video thumbnail

The CSPBypass website feat. @renniepak.nl #bugbounty #bugbountytips #bugbountyhunter

17.03.2025 11:57 β€” πŸ‘ 1    πŸ” 0    πŸ’¬ 1    πŸ“Œ 0
Video thumbnail

The mysterious bug bounty methodology

15.03.2025 11:57 β€” πŸ‘ 0    πŸ” 0    πŸ’¬ 0    πŸ“Œ 0

@gregxsunday is following 20 prominent accounts