I'm thrilled to announce that I've once again secured a spot on the MSRC's 2024 Q1 leaderboard! 🏆 It's an honor to be recognized among the top performers in the Microsoft Security Response Center community. But this achievement wouldn't have been possible without the invaluable experiences and learnings gained along the journey. It's truly humbling to reflect on the growth since being featured on the Microsoft Hackers leaderboard in 2023. 🚀 Top Hacker's Ranking in MSRC Leaderboard, MSRC 2023 Q1 Leaderboard ✅ MSRC 2023 Most Valuable Security Researcher Leaderboard ✅ MSRC 2023 Q3 Leaderboard ✅ MSRC 2024 Q1 Leaderboard ✅ Special Thanks to @msftsecresponse ❤️ ./Keep_Hacking ❤️ #MSRC #Cybersecurity #BugBounty #MicrosoftSecurity #XSSVulnerabilities #storedXss #xss #xsslove #bypass #persistentxss #microsoft #dynamics #o365 #hacker #master #exploitation  #webapplicationsecurity #ranges #pivoting #doublepivoting #iot #iotsecurity #ctf #blackhat #blackhatmea #apple #google #atlc #support #hacked #xss #blindxss #hacking #cybersecurity #phishing #infosec #malware #cyberattack #privacy #cybercrime #databreach #recon #halloffame #bugbounty #pentesting #redteam #penetrationtesting #infosec #keep_hacking

I am thrilled to announce that in 2023-24, I've contributed to Microsoft's cybersecurity efforts by reporting and resolving Blind and Stored XSS vulnerabilities across various subdomains. I am delighted to share that my efforts have been recognized, and I have been awarded bounties for my contributions. Reports: 20 - Blind & Stored XSS 2 - N/A 5 - Duplicates 7 - OOS ( Valid but Not Eligible for Bounty) 6 - Bounties Total - $18,000 Methodology: In my XSS testing journey on Microsoft platforms, I've consistently relied on a simple yet effective method. Whenever I encounter input fields, I meticulously inspect each response using BurpSuite. Here's how I do it: 1) Payload Inspection: Before saving any input, I insert various payloads into the input boxes and monitor the responses in Burp Suite. 2) Understanding HTML Character Entities: Often, I notice that the platform converts my payloads into HTML Character Entities. For instance: < (less than) becomes `& lt;` > (greater than) becomes `& gt;` 3) Payload Crafting: Armed with this knowledge, I analyze the code and existing protections in place. Then, I tweak my payloads accordingly to bypass these defences. 4) Effective Payloads: One of the payloads that consistently worked for me was: <iframe/onload=alert(document.domain)> By understanding how the code interprets and protects against XSS attacks, we can craft payloads that evade detection and uncover vulnerabilities effectively. A huge thank you to the Microsoft Security Response Center for their responsiveness and collaboration throughout this process. Together, we are working towards a safer digital landscape for all users. @Microsoft & @msftsecresponse ❤️ XSS is Love ❤️💯 ./Keep_Hacking ❤️ #Cybersecurity #BugBounty #MicrosoftSecurity #XSSVulnerabilities #storedXss #xss #xsslove #bypass #persistentxss #microsoft #dynamics #o365 #hacker #master #exploitation  #webapplicationsecurity #ranges #pivoting #doublepivoting #iot #iotsecurity #ctf #blackhat #blackhatmea #apple #google #atlc #support #hacked #xss #blindxss #hacking #cybersecurity #phishing #infosec #malware #cyberattack #privacy #cybercrime #databreach #recon #halloffame #bugbounty #pentesting #redteam #penetrationtesting #infosec #keep_hacking

I am super happy to share that I was rewarded with bypass for my 3rd Stored XSS on a another domain of @Microsoft ❤️ Bug: Bypass Stored XSS Bounty: $3000 Try to find similar domains with same functionality of your previous bugs and that's why we say recon wins the game 💯🦾 ** Try changing the special characters in your payloads, and experiment with different ones. Also, consider not encoding in Burp, and try creating payloads with combination of Javascript functions and Event Handlers. This approach worked for me *** @msftsecresponse 🦾 XSS is Love ❤️💯 ./Keep_Hacking ❤️ #storedXss #xss #xsslove #bypass #persistentxss #microsoft #dynamics #o365 #hacker #master #exploitation  #webapplicationsecurity #ranges #pivoting #doublepivoting #iot #iotsecurity #ctf #blackhat #blackhatmea #apple #google #atlc #support #hacked #xss #blindxss #hacking #cybersecurity #phishing #infosec #malware #cyberattack #privacy #cybercrime #databreach #recon #halloffame #bugbounty #pentesting #redteam #penetrationtesting #infosec #keep_hacking

Hello Everyone, I am happy to share that I have found another bypass for Stored XSS on a different domain of @Microsoft ❤️ Bug: Bypass Stored XSS Bounty: $3000 Same methodology again 🦾 ** Try changing the special characters in your payloads, and experiment with different ones. Also, consider not encoding in Burp, and try creating payloads with combination of Javascript functions and Event Handlers. This approach worked for me*** @msftsecresponse ❤️ XSS is Love ❤️💯 ./Keep_Hacking ❤️ #storedXss #xss #bypass #persistentxss #microsoft #dynamics #o365 #hacker #master #exploitation  #webapplicationsecurity #ranges #pivoting #doublepivoting #iot #iotsecurity #ctf #blackhat #blackhatmea #apple #google #atlc #support #hacked #xss #blindxss #hacking #cybersecurity #phishing #infosec #malware #cyberattack #privacy #cybercrime #databreach #recon #halloffame #bugbounty #pentesting #redteam #penetrationtesting #infosec #keep_hacking

Hello Everyone, I am happy to share that I have found a bypass for Stored XSS on @Microsoft ❤️ Bug: Bypass Stored XSS Bounty: $3000 *** Try changing the special characters in your payloads, and experiment with different ones. Also, consider not encoding in Burp, and try creating payloads with combination of Javascript functions and Event Handlers. This approach worked for me. *** ./Keep_Hacking ❤️ Thank you @msftsecresponse ❤️ #storedXss #xss #bypass #persistentxss #microsoft #dynamics #o365 #hacker #master #exploitation  #webapplicationsecurity #ranges #pivoting #doublepivoting #iot #iotsecurity #ctf #blackhat #blackhatmea #apple #google #atlc #support #hacked #xss #blindxss #hacking #cybersecurity #phishing #infosec #malware #cyberattack #privacy #cybercrime #databreach #recon #halloffame #bugbounty #pentesting #redteam #penetrationtesting #infosec #keep_hacking

The most damaging type of XSS is Stored XSS (Persistent XSS) Try @bekchytr for free bekchy.com #XSS #storedXSS #persistentXSS #Hacking #CyberSecurity #websecurity #WAF #cloudWAF

bit.ly/2EaS225 What Is Persistent XSS? Read here. #xss #persistentxss #vulnerabilityassessment

XSStrike Usage Example (v3.x) Video: youtube.com/watch?v=NB3_cSDa… … #Crawler #Linux #OSX #Payload #Python #XSS #XSSScanner #XSStrike #Vulnerability #Pentesting #Cybersecurity #PersistentXSS #JS #phishing #JSInjection cyberpunk.rs/xsstrike-usage-…

Cross-site Scripting (XSS) #Phishing #SocialEngineering #XSS #Cybersecurity #Exploit #Pentesting #SOP #JavaScript #JS #Vulnerability #ReflectedXSS #DOM #StoredXSS #PersistentXSS cyberpunk.rs/cross-site-scri…