Bug bounty Tips

When comments aren't just comments

<script>
    delete/delete; //alert(1)
    typeof/typeof; //alert(2)
    void/void;     //alert(3)
    throw/throw;   //alert(4)
</script>

demo: https://jsfiddle.net/yo0a24dj/ source: https://x.com/nowaskyjr/status/1983273567111524544

#tools #cryptography Critical cryptography vulnerabilities in the JavaScript elliptic library https://blog.trailofbits.com/2025/11/18/we-found-cryptography-bugs-in-the-elliptic-library-using-wycheproof // CVE-2024-48949, CVE-2024-48948 (unresolved) See also: ]-> repository (updated) of test vectors of cryptographic libraries for known attacks

#AIOps #MLSecOps #RAG_Security #Offensive_security AI pentest scoping playbook https://devansh.bearblog.dev/ai-pentest-scoping // Scoping AI security engagements is harder than traditional pentests because the attack surface is larger, the risks are novel, and the methodologies are still maturing

#CogSec #MLSecOps Inside OpenAI Sora 2 - Uncovering System Prompts Driving Multi-Modal LLMs https://mindgard.ai/resources/openai-sora-system-prompts // By chaining cross-modal prompts and clever framing, researchers surfaced hidden instructions from OpenAI’s video generator

#reversing #MLSecOps #Cyber_Education "Reverse Engineering GPT", 2024. https://github.com/mytechnotalent/RE-GPT // Drawing inspiration from Andrej Karpathy’s iconic lecture, "Let’s Build GPT: From Scratch, in Code, Spelled Out", this project takes you on an immersive journey into the inner workings of GPT. Step-by-step, we’ll construct a GPT model from the ground up, demystifying its architecture and bringing its mechanics to life through hands-on coding See also: Neural Networks: Zero to Hero

#AppSec #Cloud_Security 1⃣ PoC for CVE-2025-49844, CVE-2025-46817 and CVE-2025-46818 Critical Lua Engine Vulnerabilities https://redrays.io/blog/poc-for-cve-2025-49844-cve-2025-46817-and-cve-2025-46818-critical-lua-engine-vulnerabilities // Three critical vulnerabilities in Redis 7.4.5 2⃣ Hunting for Bucket Traversals in Google's Client Libraries https://jdomeracki.github.io/2025/05/04/hunting_for_bucket_traversals // Bucket traversal to be an underresearched class of vulnerabilities, requiring significant context-specific knowledge for comprehensive understanding

#Analytics #Threat_Research An analytical review of the main cybersecurity events for the week (November 1-8, 2025) 1⃣  Breaking Down the Balancer v2 Hack // The Balancer hack in 2025, caused by a longstanding rounding bug, highlights the need for rigorous math correctness, thorough testing, continuous security updates, and layered defenses in DeFi ]-> Analysis and guidance for DeFi ecosystem 2⃣  RDSEED Failure on AMD "Zen 5" Processors // CVE-2025-62626. The RDSEED function for AMD’s Zen 5 processors does return 0 more often than it should... 3⃣  GTIG AI Threat Tracker: Advances in Threat Actor Usage of AI Tools // Based on recent analysis of the broader threat landscape, Google Threat Intelligence Group has identified a shift that occurred within the last year: adversaries are no longer leveraging AI just for productivity gains, they are deploying novel AI-enabled malware in active ops ]-> a comprehensive guide to developing AI/ML systems is available on the channel 4⃣  Improvements to Open VSX Security // In reference to the Glassworm incident, OpenVSX published a blog post outlining some of the security improvements they will make to prevent a repeat of this incident 5⃣  MS Teams Impersonation and Spoofing Vulnerabilities // four vulnerabilities in MS Teams that allow attackers to impersonate executives, manipulate messages, alter notifications, and forge identities in video/audio calls. Both external guest users and malicious insiders could exploit these flaws 6⃣ The channel's most read publication in October // Don’t Look Up: There Are Sensitive Internal Links in the Clear on GEO Satellites ]-> Analytical review (Oct.25 - Nov.1, 2025)

✎ The perils of the “real” client IP & X-Forwarded-For Header You've probably seen headers like these in common 403-bypass wordlists (e.g., my gist):

X-Forwarded-For: 127.0.0.1
X-Forwarded-Host: 127.0.0.1
X-Client-IP: 127.0.0.1

…and hundreds of similar variations (with 127.0.0.1, localhost, 192.168.1.1, internal IPs, etc.), but have you ever stopped to wonder why they sometimes actually work to bypass IP-based restrictions, rate limits, or 403/401 responses? The answer lies in how unreliable and inconsistent the handling of "real client IP" headers is when a web application sits behind a reverse proxy (whether that’s a CDN like Cloudflare, an AWS ALB, a simple Nginx instance, etc.). It’s quite challenging for developers, because there’s no universal, standardized way for proxies to convey the original visitor’s IP to the backend and even less consensus on how the backend should parse and trust that information. As a result, developers often rely on headers like X-Forwarded-For, X-Real-IP, or True-Client-IP to detect a visitor’s “real” IP address. But many frameworks use fragile logic especially the common pattern of trusting the left-most value in X-Forwarded-For. This is dangerous because the left-most entry is fully controlled by the client. Cloudflare, AWS ALB, and many other proxies append the real IP to the header instead of overwriting it. So an attacker can send:

X-Forwarded-For: 127.0.0.1

and it becomes:

127.0.0.1, <real attacker IP>

Many libraries (like go-chi/httprate in Go) will mistakenly trust that spoofed first value. The app then believes the user is localhost or a trusted internal IP and may skip rate limits, authentication checks, or internal-only protections entirely. This is not rare! dozens of frameworks and servers (Express, Jetty, IIS, Go libs, etc.) use inconsistent or insecure parsing strategies. The root problem: trusting client-controlled forwarding headers without restricting which proxies are allowed to set them. • I summarized the blog, but I highly recommend reading the full article here: Article #bugbounty #recon #HTTP #bypass © T.me/BugBounty_Diary

Het Hunter's, DarkShadow here back again! ✅CRLF injection Explain🔥

This vulnerability allow an attacker to add there custom header on the responds! If you can inject \r\n.

☠️Impact (it can chain with): 1. XSS 2. open redirection 3. Cache Poisoning 4. Session Fixation [Inject custom Set-Cookie: eaders] 5. Inject Access-Control-Allow-Origin: * [make CORS] 6. CORS bypass to Sensitive Info Leak 7. Web Cache Deception 8. Phishing via Responds manipulation [\r\n\r\n<h1>Hacked</h1>] Now Guy's show your love ❤️ #bugbountytips #crlf

🛡️ Bug Bounty Tip: Cloudflare 403 Bypass for Time-Based Blind SQLi When your payload gets blocked by Cloudflare (403), try obfuscation with URL encoding to sneak it past! ❌ Blocked Payload

(select(0)from(select(sleep(10)))v) → 403 Forbidden

✅ Bypass Payload

(select(0)from(select(sleep(6)))v)/*'%2B(select(0)from(select(sleep(6)))v)%2B'%5C"%2B(select(0)from(select(sleep(6)))v)

🔍 This obfuscation can help trigger Time-Based Blind SQLi even when WAF protection is in place. ✅Credit: @nav1n0x

⚡️Outdated but Helpful Some MySQL tricks to break some #WAFs out there. ⚔️ by @BRuteLogic SELECT-1e1FROM`test` SELECT~1.FROM`test` SELECT\NFROM`test` SELECT@^1.FROM`test` SELECT-id-1.FROM`test` #infosec #cybersec #bugbountytips

Hey Hunter's, DarkShadow here back again, dropping a really interesting bypass method! ❎WAF block: whoami ✅WAF bypass: $'\x77\x68\x6f\x61\x6d\x69' ✨Bash script:

#!/bin/bash str="$1" out="" for ((i=0; i<${#str}; i++)); do     char="${str:i:1}"     ascii=$(printf '%d' "'$char")     hex=$(printf '%02x' "$ascii")     out="${out}\\x${hex}" done echo "$'$out'"

Guy's using my this dark-hex script you can directly execute obfuscate commands in bash! #bugbountytips #bypass