Curious to Learn
Joined November 2019
- Tweets 6,141
- Following 970
- Followers 1,029
- Likes 22,493
64 Photos and videos
Ved Parkash retweeted
Jun 13
Brutecat's "$500,000 Google bug with AI" write-up sent us down a rabbit hole.
My team ended up building an internal tool to help with research, target analysis, and finding things that are easy to miss when you're staring at the same target for hours.
Not public (yet). Join team.
2
6
151
8,432
Ved Parkash retweeted
nice bypass for validation
video source: youtube.com/watch?v=z1FpSFG2…
3
8
62
3,074
Ved Parkash retweeted
Jun 13
Auth bugs pay the most in bug bounty. Most hunters never touch them, because they never actually understood how auth works.
In this video, I break down web auth the way the developer who built it sees it. Sessions, JWTs, OAuth 2.0, the Authorisation Code Flow, PKCE, and OpenID Connect. Why each protection exists, what it defends, and the exact bug that shows up when it's missing.
Auth For Hackers youtu.be/csKveMxn8rA
#BugBounty #WebSecurity #EthicalHacking #AmrSec #OAuth #JWT #OIDC
4
12
140
5,174
Ved Parkash retweeted
Jun 13
I want to learn about SSRF but im not able to find good resource in single place help me out #bugbounty
14
6
84
7,397
Ved Parkash retweeted
Jun 13
jwt .io shows you the token. it won't tell you how to break it.
so i built jwtforge.
it audits JWTs for vulns (alg:none, algorithm confusion, kid/jwk injection) and forges working attack tokens with curl/burp/nuclei/jwt_tool ready to run.
all in your browser. nothing leaves your tab.
jwtforge.com
1
26
160
7,884
Ved Parkash retweeted
Jun 13
They verify your login in client-side JavaScript, never on the server. So you can walk right in.
New write-up: Client-side Authentication Bypass. 4 real cases (one led to a $4,000 SQLi):
kuldeep.io/posts/client-side…
#BugBounty #AppSec #InfoSec #BarracksArmy
3
37
275
9,875
Ved Parkash retweeted
Jun 12
Got rewarded almost 8,000$ like below
Was able to remove every user being lowest permission user - 2000$
2 IDOR and Admin bypass at self host - 3000$
Multiple BAC issue - 1500$
2500$ - 3 XSS using @xss0r - so it was get based and POST based which was chained with XSS.
5
7
147
5,640
Ved Parkash retweeted
Jun 12
1️⃣ 60 Remote Code Execution in 60 minutes
@TheLaluka walks through 60 different ways to obtain unauthenticated RCE on targets, complete with full chains and references to learn more about each vulnerability. The talk is in French but the slides are in English and packed with technical detail (and great memes) 😎
youtube.com/watch?v=Z9GN6c
4
4
26
3,703
Ved Parkash retweeted
Jun 12
We just dove into our shelf of archived bug bounty write-ups from the most notable hackers! 🤠
In this issue, we selected 5 compelling articles (that are still relevant today) to share with you, from which you can learn something new! 😎
🧵 👇
2
14
58
3,989
Ved Parkash retweeted
Jun 11
A Checklist for Nginx Pentesting
cristivlad.substack.com/p/ng…
8
34
1,372
Ved Parkash retweeted
Jun 11
Next.js applications often expose _buildManifest.js, which can reveal routes and associated JavaScript assets.
This parser makes it easy to extract that information and quickly expand the attack surface during reconnaissance.
Source: sharokhataie.github.io/build…
#BugBounty #Recon #NextJS #AppSec #InfoSec
2
18
70
3,058
Hacking Google with A.I. for $500,000
brutecat.com/r/hacking-googl…
59
500
2,457
321,141
Ved Parkash retweeted
How a Single JSON Parameter Allowed Unauthorized Manipulation (IDOR) by George Zakary medium.com/@georgezakary60/h… #bugbounty #bugbountytips #bugbountytip
7
43
2,399
Ved Parkash retweeted
Jun 10
$12,500 Bug Bounty 💰
Making HTTP header injection critical via response queue poisoning by James Kettle 🤯🔥
👨💻 James Kettle (x/albinowax)
🔗 portswigger.net/research/mak…
🔗 Join team 👉t.me/luckyhacker43
1
44
352
9,918
Ved Parkash retweeted
Jun 8
All You Need to Master IDOR: A Complete Resource Guide by B1scuit 🔥
👨💻 Raunak Gupta (B1scuit)
🔗 medium.com/@RaunakGupta1922/…
Stay connected:
🔗 t.me/luckyhacker43
16
106
2,801
Not everyone who reports to Google Cloud VRP does a writeup, but critical bugs still show up in CVEs and release notes
Made a tool that aggregates both so you can see the types of bugs getting found in GCP
gcp-cves.brutecat.com/
5
40
322
19,841
Ved Parkash retweeted
Finally I am publishing my first medium article pls go and read and give your thoughts on: “From Self-XSS to Account Takeover: How I Turned a Low-Severity Finding into a Critical…“ by Kanishk dadhich on Medium: medium.com/@kanishkdadhich12…
@theXSSrat
1
9
117
5,824
Ved Parkash retweeted
Jun 8
This Hacker Made $7,000 Hacking AI With One Email
youtu.be/3oARlXLiySw
4
15
150
23,917
13
81
4,107