I recently found out about a platform called #hackthebox. This platform provides a learning space and information to learn various knowledge such as cybersecurity, web, network, AI, etc. I think it would be very useful for researchers who want to learn more about information.

I have 15 reports Pending program review. :) I hope the final result comes out soon 😃😃. @Hacker0x01 #bugbounty

What do you want to know?.

When a token, key, etc. is found in a sensitive repository, we have developed a tool that tests whether the token or key is actually valid and if so, accessible, and automatically lists only the valid values ​​in a .html file. Now you don't have to manually test whether tokens

Today during fuzzing, I found an employee-only domain within the same domain. The domain was public to the general public and had an email verification process, but it did not exist in the account interface.

I've been busy for a while. So I took a long break for 3-4 years. I recently started the #Hacker0x01 bug bounty activity again in May, and I found 20 vulnerabilities in the BBP program All are under evaluation and review, and some are already being fixed. Hope it goes well :)

I'm working on validating whether sensitive tokens or API keys are working by analyzing JS files, GitHub repositories, etc. and I'm working on more scripts to automate this task. It's really fun to dig deeper into this. #bugbounty #Hacker0x01.

I successfully accessed my real credentials using a token leaked from a GitHub repository created by an individual or a third party, but it was not the official repository of the program. How does the program handle this case?. #Hacker0x01 #bugbounty.

Heroku API Key,GitHub Token,Stripe Key,JWT Token,Twilio SID,Mapbox Token,SendGrid API Key,Mailgun API Key,Cloudinary API Key,Imgur Client ID,OneSignal App ID. Detect and validate the above sensitive tokens and keys.

and over-cleaning output, sensitive key output and display for each JS file, and API key validity check. This tool I developed is implemented to a level where it can completely replace SecretFinder + shell script.

i have developed a top-notch automation tool that includes asynchronous processing (parallel processing possible with asyncio + aiohttp), file input processing, validation, false positive filtering,.

I have completed the development of a JS file-based API key, token, hardcoded secret value, and sensitive information automatic analysis script that goes beyond SecretFinder functionality.

Also, sitemap.xml often includes legacy JS that is no longer used on the frontend. This JS uses a vulnerable version of jQuery. Don't just skip analyzing the JS files you collected with sitemap.xml.

sitemap.xml is meant to inform search engine crawlers about the structure of your site, but it often contains paths to internal JS files that should not be made public. - admin API endpoint.- Hardcoded private key (JWT secret,API key).- debugging JS code. #bugbounty #bugbountytip.

I just discovered the admin panel of the staging server while analyzing the JS files and collecting subdomains. #bugbounty.