@rezasahaf.bsky.social
Bug Hunter
๐ต MonkeHacks #48
Codebase Redesign, Celebrations, Climbing
#bugbountytips #hacktheplanet #bugbounty monke.ie/p/monkehacks...
SSRFs can be tough to make critical without cloud metadata, especially against a target like GitLab that strengthens its infra with every SSRF. Yet @joaxcar.bsky.social broke through with the first critical SSRF on GitLab since 2020. Enjoy our explanation from Sweden! ๐ธ๐ช
One of my favorite bugs from last year
08.01.2025 15:23 โ ๐ 19 ๐ 5 ๐ฌ 0 ๐ 0
Here's what's in the latest issue of BBRE Newsletter ๐ฅ
02.01.2025 14:09 โ ๐ 2 ๐ 1 ๐ฌ 0 ๐ 0Kids these days don't even know how much opportunity they have to learn hacking from actual pros.
I know there is a lot of content out there, so it can be hard to find the good stuff. But 10 years ago you had to be lucky to find at least something.
Anyway, watch this ๐
My videos for Flare-On 2024 are live! Watch me reverse engineer all the challenges from start to end. ๐๐ฅณ
+ Commentary video featuring SuperFashi, where we review the chals together.
* 45 hours of content
* 400+ GB of raw footage
Merry Christmas! Link: www.youtube.com/watch?v=vwW9...
โ ๏ธChallenge time againโ ๏ธ
It is based on a real-world situation. Use the HTML injection to leak the flag to an external domain โ๏ธ
This time, send solutions in DM; we don't want to spoil the fun. I also might want to patch any obvious blunder I made creating it
joaxcar.com/xss/outer.ht...
๐ต MonkeHacks #43
Year in Review, Technique Drop, Taking Care
๐In this issue, I drop a fun technique for bypassing redirect checks in certain situations. Enjoy :)
#bugbountytips #hacktheplanet #bugbounty monke.ie/p/monkehacks...
A small code-golf web challenge (free research from you, for me), how short can you make a "fetch content and execute it inline".
There is a CSP in a meta tag.
Goal: get the content from the file hack.js and have it inserted in the page. like in the image
joaxcar.com/xss/self.html
Here's what's in the latest issue of BBRE Newsletter ๐ฅ
11.12.2024 09:19 โ ๐ 2 ๐ 1 ๐ฌ 0 ๐ 0๐ซก 2024 YTD #BugBounty stats update:
๐ 7 issues Reported (4 Crit, 2 High, 1 Medium)
๐ฐ 4 issues Paid
โช 1 Informational
๐ด 1 OOS
Will try it, seems to be fun!
01.12.2024 15:54 โ ๐ 0 ๐ 0 ๐ฌ 0 ๐ 0Doing some @portswigger.net advent calendar this year as well. Join me on advent.j15.se
Its not affiliated with Portswigger but it will link you to one of their chapters each day (random for max excitement)
Its created 100% using Cursor so any bugs is AIโs fault
Can I ask the reason why a RCE is a low/medium severity bug in this case? Attack complexity or scope is not core asset?
30.11.2024 15:20 โ ๐ 1 ๐ 0 ๐ฌ 0 ๐ 0
This week we've got a rare episode that is also a bit more beginner friendly!
0xLupin (of Lupin and Holmes) and @rhynorater.bsky.social breakdown some of the hacker mentality that really caused some breakthrough in their hacker growth.
Check it out!
youtu.be/yxc2jVKE-jo
Dope!
27.11.2024 16:43 โ ๐ 0 ๐ 0 ๐ฌ 0 ๐ 0
Alright, new platform so I'm going to start sharing some things that I'm excited about to keep the momentum flowing!
Rn, I think the 403 Bypasser Caido plugin from Bebiks is freaking amazing.
This is a tool to automate the bypassing of walled-off endpoints.
This plugin does 3 things right:
Any bug bounty people around? I'm creating a starter pack of people to follow but it's pretty brief currently! Let me know if you'd like to be added: go.bsky.app/GD7hKPX
21.11.2024 15:23 โ ๐ 95 ๐ 30 ๐ฌ 45 ๐ 2๐ซก
26.11.2024 12:22 โ ๐ 1 ๐ 0 ๐ฌ 1 ๐ 0
The "bug bounty hunters and content creators" starter pack is now up to 60 users! Follow this to get instantly connected to the bug bounty community & let me know if I've missed you off!
go.bsky.app/GD7hKPX
Trying to make a list of programs that have hosted a live event on hackerone
-epic games
-tiktok
-zoom
-salesforce
-uber
-PayPal
-DoD
-shopify
-airbnb
-yahoo
-Starbucks
-Amazon
Which did I miss #Bugbounty
I really needed this list! Thanks
25.11.2024 01:36 โ ๐ 1 ๐ 0 ๐ฌ 0 ๐ 0Hello World!
24.11.2024 14:55 โ ๐ 1 ๐ 0 ๐ฌ 1 ๐ 0
