3186
Talk and help about bugbounty
The report is still open in Traiged state. What is likely to happen?
Читать полностью…
i can upload file to s3 for guest section to file like shell.php it worked but when trying to open it downloads the file directly
Читать полностью…
If you can then try to escalate it more because the company needs to know how knowing all these credentials can affect them.
Читать полностью…
Hello Hunters, I got NREUM loader account id, trustkey, agentid, license key and application id in a hardcoded source code. Should I report?
Читать полностью…
Yo does anyone know any bug bounty platforms that pay through crypto, I'm new to this
Читать полностью…
This blog might help you for the Role Based Access Control Bypass
Link 🔗: https://www.google.com/url?sa=t&source=web&rct=j&opi=89978449&url=https://www.bugbountyhunter.com/hackevents/report%3Fid%3D885&ved=2ahUKEwiEuLWqwdaFAxUhzzgGHaOdB-EQFnoECCAQAQ&usg=AOvVaw1_Sbdrsv1Awf3jzfgsz34V
Thanks for the response.
I actually reported it and it was changed from critical to medium (Traiged) but I'm not okay with it being a medium.
The js file reveals a lot of endpoints too but whenever I try accessing the endpoints, it shows authentication token missing.
Try escalating it more or else it will go in Informative vulnerabilities or very minimal bounty or points depending on the platform you are reporting.
Читать полностью…
Hello hunters, while inspecting a js file, I found Names, Email addresses and Role : Admin, Signup date. Should I report it?
Читать полностью…
Got a response that's it's actually a retool dummy data.
💔😣
Hi all, does anyone have an external peneteation testing checklist? If you have pls share it.
Читать полностью…
https://infosecwriteups.com/hack-stories-hacking-hackers-ep-3-11b1f0e002e8
Читать полностью…
https://book.cipherops.tech/bug-bounty-notes/readme/cipherops
Читать полностью…
You may report It but I'm 90% sure they will say the same!
And remaining 10% they might give you bounty or points or mark it as informative if it does not effect them.
new writeups !!!
View billing information using IP Rotation!
Read - https://rhymeus.blog/2024/04/view-billing-information-using-ip.html
I also came across a RBAC. Any idea on how to bypass? I don't think fuzzing would help
Читать полностью…
Just search wordlist for the purpose you want there are many GitHub pages with great wordlists or you can use Chatgpt to create one for you ✌🏻🌚
Читать полностью…
Instead of 404, fuzz 403 try to bypass it.
403 has more credibility if bypassed than 404.
For 404, you can try fuzzing but just inspect first which type of pages the website is using that can narrow down your approach for wordlists.
For Example: While scrolling a website and traversing it's different pages you get to know that website is using .aspx or .php or some extensions like that for about us and sitemap.xml too.