Bug Bounty Diary
Ir al canal en Telegram
A diary documenting the journey of finding bugs, with daily notes and useful tricks. Follow for real experiences, discoveries, and practical tips in bug bounty hunting. Group: @BugBounty_Forum
Mostrar más6 738
Suscriptores
Sin datos24 horas
+287 días
+28030 días
Carga de datos en curso...
Canales Similares
Nube de Etiquetas
Sin datos
¿Algún problema? Por favor, actualice la página o contacte a nuestro gerente de soporte.
Menciones Entrantes y Salientes
---
---
---
---
---
---
Atraer Suscriptores
julio '26
julio '26
+41
en 1 canales
junio '26
+319
en 5 canales
Get PRO
mayo '26
+231
en 2 canales
Get PRO
abril '26
+129
en 0 canales
Get PRO
marzo '26
+90
en 0 canales
Get PRO
febrero '26
+174
en 1 canales
Get PRO
enero '26
+189
en 1 canales
Get PRO
diciembre '25
+482
en 6 canales
Get PRO
noviembre '25
+1 348
en 3 canales
Get PRO
octubre '250
en 0 canales
Get PRO
septiembre '250
en 0 canales
Get PRO
agosto '250
en 0 canales
Get PRO
julio '250
en 1 canales
Get PRO
junio '250
en 0 canales
Get PRO
mayo '25
+73
en 0 canales
Get PRO
abril '25
+219
en 0 canales
Get PRO
marzo '25
+161
en 0 canales
Get PRO
febrero '25
+209
en 3 canales
Get PRO
enero '25
+301
en 3 canales
Get PRO
diciembre '24
+446
en 1 canales
Get PRO
noviembre '24
+716
en 1 canales
Get PRO
octubre '24
+765
en 2 canales
Get PRO
septiembre '24
+365
en 1 canales
Get PRO
agosto '24
+280
en 1 canales
Get PRO
julio '24
+191
en 1 canales
Get PRO
junio '24
+133
en 1 canales
Get PRO
mayo '24
+211
en 1 canales
Get PRO
abril '24
+457
en 3 canales
| Fecha | Crecimiento de Suscriptores | Menciones | Canales | |
| 04 julio | +2 | |||
| 03 julio | +3 | |||
| 02 julio | +19 | |||
| 01 julio | +17 |
Publicaciones del Canal
+1
✎ FlareProx - Simple IP Rotation & URL Redirection via Cloudflare Workers
FlareProx automatically deploys HTTP proxy endpoints on Cloudflare Workers for easy redirection of all traffic to any URL you specify. It supports all HTTP methods (GET, POST, PUT, DELETE, etc.) and provides IP masking through Cloudflare's global network. (100k requests per day are free.)
● How It Works?
FlareProx deploys Cloudflare Workers that act as HTTP proxies.
1. Request Routing: When you make a request, your request is sent to a FlareProx endpoint.
2. URL Extraction: The Worker extracts the target URL from query params or a custom HTTP header.
3. Request Proxying: The Worker forwards your request to the target URL.
4. Response Relay: The target's response is relayed back through Cloudflare.
5. IP Masking: Your original IP is masked by Cloudflare's infrastructure.
● Repository: Github
#bugbounty #burp
© T.me/BugBounty_Diary
| 2 | ✎ Hacking Google with A.I. for $500,000
After earning $500,000 in Google bug bounties, BruteCat shared the AI-powered prompts, workflows, and techniques used to analyze Google's massive attack surface, which offers valuable insights for security researchers looking to scale their reconnaissance and vulnerability discovery.
I highly recommend you read this writeup because it gives you a good methodology for hacking using AI.
• Blog: Hacking Google with A.I. for $500,000
#bugbounty #AI
© T.me/BugBounty_Diary | 2 756 |
| 3 | ✎ CompTIA Network+ Summary - Module 4
Chapter 4 is now live - hope you find it helpful!
--Configuring Network Addressing--
• Blog: Network+ Summary - Module 4
#bugbounty #network
© T.me/BugBounty_Diary | 2 397 |
| 4 | So close! Just 9 more stars to reach 256. Thank you all for the incredible support. 🫡❤️🔥 | 1 731 |
| 5 | ✎ RoboFinder v0.2.2 is out
RoboFinder is now more powerful, stable, and easier to fit into your recon workflow.
● Installation
pip install robofinder
● What's new?
• Supports both single and multiple URLs
robofinder -u https://example.com
#or
robofinder -u urls.txt
• Pipe results directly into other tools:
robofinder -u https://example.com -c | httpx
• JSON output for automation:
robofinder -u https://example.com -c -f json
I also focused more on data quality than raw speed. Wayback lookups, especially on older targets, may take a little longer :( but you'll get much more complete results instead of missing valuable historical data.
• Repository: Github
#bugbounty #recon
© T.me/BugBounty_Diary | 5 178 |
| 6 | -----‐-------------------------------
✎ Discovering Domains via NS Correlation
-----‐-------------------------------
● What is a Nameserver?
A nameserver (NS) is a specialised server within the Domain Name System (DNS) which translates human-readable domain names into IP addresses. Essentially, nameservers tell the internet where to find your web server.
In this post I will describe a simple technique which can be used to correlate one or more websites using NS data.
● Finding Nameservers
To find the nameservers for a domain name, the simplest way is to use the dig tool:
$ dig +noall +answer ns deliveroo.com
deliveroo.com. 86400 IN NS mona.ns.cloudflare.com.
deliveroo.com. 86400 IN NS phil.ns.cloudflare.com.
● Finding Related Domains
Some DNS providers like Cloudflare will assign you a NS pair at the account level. This means that all domain names you add to your account will share the same NS pair.
In the example above, deliveroo.com uses the Cloudflare nameserver pair mona.ns.cloudflare.com and phil.ns.cloudflare.com. Domains added under the same Cloudflare account are often assigned the same NS pair. Since the number of possible Cloudflare NS pair combinations is limited, many domains share them, making it relatively easy to identify other domains that may be managed by the same operator.
● Downloading The Dataset
Merklemap provides a DNS record database containing 4 billion+ records. You can download it here.
The dataset is provided in JSONL format and is compressed using xz. The uncompressed raw data is around ~500GB in size. If you just want to extract domain/NS pairs in the format domain,ns1,ns2,ns... you can use xzcat with jq like so:
xzcat dns_records_database.jsonl.xz | jq -r '
select([.results[] | .success?.records?.NS? // empty] | length > 0) |
[.hostname] + [.results[].success?.records?.NS? // empty | .[]] |
join(",")
' > domains.csv
● Querying the Dataset
One way to query the parsed data is using DuckDB. grep will also work but will probably be a bit slower.
NS1="phil.ns.cloudflare.com."
NS2="mona.ns.cloudflare.com."
duckdb -csv -noheader -c "
SELECT column0 AS domain, column1 AS ns
FROM read_csv('domains.csv', header=false)
WHERE list_sort(str_split(column1, ',')) = list_sort(['${NS1}','${NS2}'])
" > results.csv
Looking at results.csv we have ~300 entries. A lot are false positives, but there are some new domains which definitely belong to the same operator:
$ grep -i deliveroo results.csv | cut -d, -f1
deliveroo.de
deliveroo.blog
deliveroo.xn--9dbq2a
... 32 more
In a lot of cases you might not be able to correlate one website to another based on just a keyword in the domain name. In those cases you can do things like:
• Fingerprint HTTP responses
• Compare WHOIS information
• Compare technologies used
• DNS similarities
#bugbounty #recon #DNS
© T.me/BugBounty_Diary | 2 593 |
| 7 | -----‐-------------------------------
✎ Discovering Domains via NS Correlation
-----‐-------------------------------
● What is a Nameserver?
A nameserver (NS) is a specialised server within the Domain Name System (DNS) which translates human-readable domain names into IP addresses. Essentially, nameservers tell the internet where to find your web server.
In this post I will describe a simple technique which can be used to correlate one or more websites using NS data.
● Finding Nameservers
To find the nameservers for a domain name, the simplest way is to use the dig tool:
$ dig +noall +answer ns deliveroo.com
deliveroo.com. 86400 IN NS mona.ns.cloudflare.com.
deliveroo.com. 86400 IN NS phil.ns.cloudflare.com.
● Finding Related Domains
Some DNS providers like Cloudflare will assign you a NS pair at the account level. This means that all domain names you add to your account will share the same NS pair.
In the example above, deliveroo.com uses the Cloudflare nameserver pair mona.ns.cloudflare.com and phil.ns.cloudflare.com. Domains added under the same Cloudflare account are often assigned the same NS pair. Since the number of possible Cloudflare NS pair combinations is limited, many domains share them, making it relatively easy to identify other domains that may be managed by the same operator.
● Downloading The Dataset
Merklemap provides a DNS record database containing 4 billion+ records. You can download it here.
The dataset is provided in JSONL format and is compressed using xz. The uncompressed raw data is around ~500GB in size. If you just want to extract domain/NS pairs in the format domain,ns1,ns2,ns... you can use xzcat with jq like so:
xzcat dns_records_database.jsonl.xz | jq -r '
select([.results[] | .success?.records?.NS? // empty] | length > 0) |
[.hostname] + [.results[].success?.records?.NS? // empty | .[]] |
join(",")
' > domains.csv
● Querying the Dataset
One way to query the parsed data is using DuckDB. grep will also work but will probably be a bit slower.
NS1="phil.ns.cloudflare.com."
NS2="mona.ns.cloudflare.com."
duckdb -csv -noheader -c "
SELECT column0 AS domain, column1 AS ns
FROM read_csv('domains.csv', header=false)
WHERE list_sort(str_split(column1, ',')) = list_sort(['${NS1}','${NS2}'])
" > results.csv
Looking at results.csv we have ~300 entries. A lot are false positives, but there are some new domains which definitely belong to the same operator:
$ grep -i deliveroo results.csv | cut -d, -f1
deliveroo.de
deliveroo.blog
deliveroo.xn--9dbq2a
... 32 more
In a lot of cases you might not be able to correlate one website to another based on just a keyword in the domain name. In those cases you can do things like:
• Fingerprint HTTP responses
• Compare WHOIS information
• Compare technologies used
• DNS similarities
#bugbounty #recon #DNS
© T.me/BugBounty_Diary | 1 |
| 8 | -----‐-------------------------------
✎ Linux Security → SUID & Privilege Boundaries
-----‐-------------------------------
In Linux, security heavily depends on permission architecture.
One critical mechanism is SUID (Set User ID).
● What is SUID?
When SUID is applied to an executable, it runs with the file owner’s permissions instead of the executing user’s.
If the file is owned by root, it grants elevated privileges.
[me@linux ~]$ ls -l /usr/bin/passwd
-rwsr-xr-x 1 root root ...
• The s indicates SUID.
This allows normal users to run passwd, which needs root access to update /etc/shadow.
SUID itself is legitimate, misconfigured SUID binaries are dangerous.
If powerful binaries like:
• bash
• vim
• find
are improperly assigned SUID, they may be abused for privilege escalation.
● Enumerating SUID Binaries
find / -perm -4000 -type f 2>/dev/null
This way we can find the files with SUID.
● A Usage example:
Let's say find has SUID
find . -exec /bin/sh -p \; -quit
With this you can open a shell as the root.
● To Audit
You need find the files with SUID the way I said before and delete the tag :
chmod u-s /path/to/binary
#bugbounty #Linux
© T.me/BugBounty_Diary | 2 369 |
| 9 | ✎ CompTIA Network+ Summary - Module 3
Module 3 is now live on my Hashnode series.
--Interfaces & Switches--
As always stripped down to the essentials with no fluff.
• Blog: Network+ Summary - Module 3 | 2 235 |
| 10 | ✎ ASN → IP Recon Workflow (BGPView alternative)
I used to rely on bgpview.io for extracting IP ranges from ASNs it was free and useful for recon workflows. But after it went down, I looked for an alternative and found this awesome repo:
• as-ip-blocks: Github
It lets you pull IPv4/IPv6 prefixes per ASN directly from raw GitHub data, which is ideal for automation.
</> Bash Function for ASN → IP Enumeration
You can plug this directly into your recon pipeline or customize it for your tools
asn2ip() {
local base="https://raw.githubusercontent.com/ipverse/as-ip-blocks/master/as"
fetch_asn() {
curl -fsSL "$base/$1/aggregated.json" \
| jq -r '.prefixes.ipv4[]?' 2>/dev/null \
| sort -u
}
if [ ! -t 0 ]; then
while IFS= read -r asn; do
fetch_asn "$asn"
done
else
fetch_asn "$1"
fi
}
• Single ASN → IP Ranges
asn2ip 1234
• List of ASNs → IP Ranges
cat asnList | asn2ip
#bugbounty #recon #automation
© T.me/BugBounty_Diary | 3 427 |
| 11 | ✎ ASN → IP Recon Workflow (BGPView alternative)
I used to rely on bgpview.io for extracting IP ranges from ASNs it was free and useful for recon workflows. But after it went down, I looked for an alternative and found this awesome repo:
• as-ip-blocks: Github
It lets you pull IPv4/IPv6 prefixes per ASN directly from raw GitHub data, which is ideal for automation.
</> Bash Function for ASN → IP Enumeration
You can plug this directly into your recon pipeline or customize it for your tools
asn2ip() {
local base="https://raw.githubusercontent.com/ipverse/as-ip-blocks/master/as"
fetch_asn() {
curl -fsSL "$base/$1/aggregated.json" \
| jq -r '.prefixes.ipv4[]?' 2>/dev/null \
| sort -u
}
if [ ! -t 0 ]; then
while IFS= read -r asn; do
fetch_asn "$asn"
done
else
fetch_asn "$1"
fi
}
• Single ASN → IP Ranges
asn2ip 1234
• List of ASNs → IP Ranges
cat asnList | asn2ip
#bugbounty #recon #automation
© T.me/BugBounty_Diary | 1 |
| 12 | ✎ CompTIA Network+ Summary - Module 2
Module 2 is now live on my Hashnode series.
Stripped down to the essentials, focusing only on what actually matters for understanding networks from a cybersecurity perspective.
• Blog: Network+ Summary - Module 2
#bugbounty #network
© T.me/BugBounty_Diary | 3 009 |
¡Ya disponible! Investigación de Telegram 2025 — los principales insights del año 
