Pentester | Bug Bounty Hunter | #hackerone | #intigriti | #bugcrowd @sumgr0@infosec.exchange
Joined May 2009
- Tweets 24,763
- Following 4,943
- Followers 5,387
- Likes 30,670
12,414 Photos and videos
It just keeps getting better 😉
Thank you @intigriti ✌🏻
7 May 2021
Curious how to launch yourself into the top ranks of our quarterly leaderboard in only a few weeks time? @sumgr0 recently pulled this off, so we sat down with him to try uncover some of his secrets! 😏
Check out our interview:
blog.intigriti.com/2021/05/0…
5
1
49
sumgr0 retweeted
🚨 CVE-2026-0257- Palo Alto Networks PAN-OS - Authentication Bypass
🔍 Nuclei Template: cloud.projectdiscovery.io/li…
📑 Reference: rapid7.com/blog/post/etr-rap…
#kev #authbypass #bugbounty
4
75
338
23,172
sumgr0 retweeted
How to scan target's API architecture at Jsmon with an example 👇
1⃣ Domain scan - dashboard.stripe.com/login
2⃣ 7000 API endpoints extracted, visible in sidebar
🤯TIP 1: Configure the depth, headers, and other filters in "options" to tune the results as per your set target
🤯TIP 2: Check API endpoints in Reconnaissance section to set page size and export as JSON or CSV
Signup at app.jsmon.sh/signup and scan now.
3
6
5,658
sumgr0 retweeted
Jsmon just hit a new record 📈
This month alone: 444,509 URLs scanned
Last 3 months combined: 373,746
One month > three months.
We launched Recurring Scans recently — set it once, monitor continuously. Looks like the numbers agree it was the right call.
Coming up on 500K scanned this month. Watch this space.
→ jsmon.sh
4
8
1,055
Dalfox v3 has been released🔥
I've been rewriting it in Rust since August last year, and it's finally done.
The biggest change is the engine. v3 no longer depends on a headless browser like v2 did. Instead, it uses DOM/AST analysis to check whether an XSS finding is actually valid.
Tested on xssmaze, various challenge sites, and real-world targets, it reduces false negatives and false positives more effectively while scanning faster than v2.
github.com/hahwul/dalfox/rel…
3
43
241
16,557
sumgr0 retweeted
Introducing apiffuf (ffuf for APIs) 🔓
An API URL fuzzer that cross-joins hosts × paths → normalizes URLs → probes over HTTP → reports live endpoints.
apiffuf -hosts targets.txt -paths wordlist.txt
→ github.com/jsmonhq/apiffuf
#bugbounty #recon #appsec #infosec #cybersecurity
1
9
32
2,356
sumgr0 retweeted
Introducing Bulk Scans in Jsmon.
Scan thousands of assets in a single workflow:
• CIDR ranges & IPs
• Domains, hosts & URLs
• Set crawl depth, extensions & more filters
Built for large-scale recon, attack surface mapping, and enterprise scanning.
No more one-by-one scans.
3
6
909
sumgr0 retweeted
Jsmon now accepts Crypto payments 🪙
Head to jsmon.sh, pick your plan, and pay with your crypto wallet — no card needed.
Security tools should be accessible to everyone, including the anon researchers 👀
1
3
9
751
sumgr0 retweeted
May 11
Here's something every bug bounty hunter should be checking on their targets 👇
AWS assets leaking through HTTP responses and headers. Cognito Pool IDs. S3 buckets. Lambda runtime URLs. Auth domains.
Just shipped this detection on Jsmon - 20 AWS asset types. One domain scan, average ~10 seconds.
Go run it on your current target. Live at jsmon.sh
#bugbounty #bugbountytip #ethicalhacking #cybersecurity #awssecurity #aws
1
10
933
sumgr0 retweeted
Cloudflare won't save you.
Jsmon now bypasses WAFs to scan what's actually exposed behind your firewall: Cloudflare, Akamai, and more.
Watch the 30-sec demo over Cloudflare-protected domain 👇 Live at jsmon.sh
3
16
1,673
sumgr0 retweeted
We just dropped Jsmon's prices by 85%
Recon: $15/mo (was $100)
Recon Pro: $50/mo (was $100)
completely rebuilt UI
enhanced search & filters
light/dark mode
better scan controls
Hacker-Grade Security Scans for every security researcher in 1-click. jsmon.sh
1
5
10
1,237
Heading for the first @defcon at #Singapore
If you are also there and see me ( Bald and Long Bearded guy) come say Hi! 👋
15
421
Traffic Rules > money/vehicle category/social status
If only people understood this equation 🤦♂️
Apr 22
Writing this to Indian government authorities - @IndianGov @NHAI_Official @noidapolice @Uppolice @nitin_gadkari @Noidatraffic @uptrafficpolice.
I've no clue why is no one writing about this. This is going to be very raw tweet and people can comment their views below.
Rules are made or fine tuned when someone questions wrongdoing.
Locations: Sec 62 Roundabout, Electronic City, Diverging and Merging roads near these locations.
I travel from Ghaziabad to Noida Sec 62 daily. The road that takes 15 mins when traffic is very low, same road takes around 40 mins on weekdays.
Even if it takes 30 mins, it's bearable, but what's not bearable is people not doing lane driving, honking unnecessarily, changing lanes like it's their private roads, opening gates (when driving at 60) to spit out guthkas, using mobile phones and scrolling reels when driving on highways and in traffic.
Are traffic police folks untrained, corrupt or unseeing the situation on roads in UP, Noida, Gurgaon?
When VIPs come on roads, they get good treatment, traffic police folks close the roads, and you see good roads, zero traffic, 70-100 km/hr speeds.
When 99.99% of other normal lower-class, middle-class, upper-class folks are on the same roads, they're facing auto drivers who're stopping on the first lane, second lane. Bus drivers who stop their buses anywhere on roads even sometimes in the middle of roads to get 2 more passangers onboard.
I've seen incidents of 2 passangers getting into an auto (who stopped it in the 2nd lane), and 2 people on bike getting into an accident because of sudden stop by auto guy.
I've seen a bike guy floating in the air and falling from flyover to the service lane (3-5 metres in height) (no clue if he's alive or able to walk) in the air because of a bus doing sudden lane change.
Things which I'm seeing wrong are on UP, Noida, Gurgaon roads:
1. No lane driving (almost 50% of the people are not doing lane driving)
2. People don't follow the traffic lights
3. People don't stop before the zebra line (at traffic light)
4. People honking when all the cars are in continuous traffic
Who's giving them Driving License in India? Babus? Dalals? For 3000 Rs? For 1000 Rs? And, who's responsible for injuries, accidents and deaths on these roads? Dalas or the driver (who got the license because of that Dalal) who's not doing lane driving or driving on NE3 with a bike where bikes are not even allowed.
There are boards on the road with signs of "No Stopping", "No Parking". People are parking right there, traffic police is also there. But, no one is fining them.
Traffic police people should be trained to show no mercy based on the status of someone, just fine them 1000 Rs, 5000 Rs, or whatever the fine is. Put the wrongdoers behind bars. This once in a lifetime punishment will keep them regulated not just on roads but they'll start reading rules and regulations in restaurants, in flights, airports, etc. too.
Not sure if the DL givers (dalals), or the traffic police folks are on X (Twitter), but the social media accounts whom I've tagged above must be reading this. If you're please take some action.
1
2
411
sumgr0 retweeted
Apr 22
1
8
51
5,625
sumgr0 retweeted
We just open-sourced xnew — a blazing fast CLI for appending unique lines to files 🚀
Built in Go for security researchers working with massive datasets. Streams efficiently with minimal memory footprint.
📊 Benchmarks (vs anew):
- 100M lines: 30s vs 1m38s
- 10M lines: 2.8s vs 12.4s
- Scales cleanly from 1K to 100M lines
Perfect for:
→ Subdomain deduplication
→ Endpoint lists
→ Wordlist management
→ Any large-scale data pipeline
⭐ github.com/jsmonhq/xnew
Uses XXH3 hashing buffered I/O. Minimal memory, maximum speed.
#infosec #bugbounty #golang #opensource
3
19
2,081
sumgr0 retweeted
We've been heads-down shipping some major upgrades to Jsmon. Here’s what’s new 👇
⚡ 6.2× Faster Scans: We migrated our infrastructure from NoSQL → SQL and refactored core backend components. Result: scans are 6.2× faster.
🔎 Configurable Scan Depth (1–4)
• Depth 1 - Target page only
• Depth 2 - Target linked pages
• Depth 3 - Recursive crawl (1 level deeper)
• Depth 4 - Full deep recursive crawl
🛡 WAF Bypass Support: Jsmon now simulates a browser-like environment, allowing scans on assets that were previously unreachable.
More improvements coming soon.
Feedback welcome👇 Happy hacking 🎯
6
6
698
RT @sahilsince2000: No jailbreak. No problem. 🔓
I built a tool that bypasses iOS SSL Pinning using OpenVPN iptables — works with Burp Su…
173
2
sumgr0 retweeted
Mar 18
We got frustrated with dealing with vendor dependencies when reverse engineering large applications. @ITSecurityguard from @SLCyberSec’s Sec Research Team built Hyoktesu to solve this problem forever: github.com/assetnote/hyokets… - releasing this today! Blog: slcyber.io/research-center/h…
4
70
304
41,842
sumgr0 retweeted
Sun, sea & cybersecurity. Had a great time with you guys at Nullcon&seasides!
#Nullcon
#CyberSecurity
#InfoSec
#EthicalHacking
#SecurityResearch
#BugBounty
#RedTeam
#BlueTeam
#AppSec
#InfosecCommunity
2
2
15
1,357
bbscope v2 is out & bbscope.com is live!
A free #bugbounty tool to pull scope from HackerOne, Bugcrowd, Intigriti, YesWeHack, and Immunefi.
Store it all in PostgreSQL, track changes, query it, pipe it into your tools
Thread on what's new👇
12
88
400
52,762
sumgr0 retweeted
Feb 24
Hi everyone,
Fill this form to participate in hacker house. Once we have exact no. Of people who can participate, we will invite 10 of you, in the first of many weekends.
forms.gle/GFy11G16dDc3mb3P8
Feb 23
We are launching a Hacker House in Noida.
If you are in Delhi NCR, feel free to join us.
We will have one target and multiple hackers working on it together. It will be a full night of hacking, brainstorming, and sharing ideas.
#hacking
1
2
8
1,884