Walid Hossain
@walidhossain_
Followers
3K
Following
11K
Media
130
Statuses
3K
Web app tester || Everything is vulnerable! || bugcrowd top 200 || https://t.co/pReiIkBOum For pentest: DM! 👆
(127.0.0.1)
Joined September 2017
I just published 🚨 From Curiosity to exploit: XSS via Qualtrics Feedback Forms https://t.co/qQ17TxY6DE
2
7
29
Hello! Just published a new research with ( @sml555_ , @codecancare) 🍻 Who Needs A Blind XSS? https://t.co/bUpFj1p0Mh
#CyberSecurity #BugBounty
hx01.me
How spreadsheet formulas quietly ran inside internal systems.
4
40
196
Just learned a very interesting trick from @0xacb’s challenge at the @Bsideslisbon CTF. If an application uses "magick convert" to modify an uploaded image, it may be possible to achieve LFI by using "text:" One of the file formats supported by ImageMagick is "text",
6
60
345
great work
It’s just updated! Check out the updates version of keyskit, We’ve added new bunch of keys, An overview of it: While you checking JS files and found a secret/key you can just search about the provider name to get the command and severity directly. https://t.co/esScDhO7tq
0
0
1
CACHE POISONING QUICK WIN: Most apps validate X-Forwarded-Host as a single value. But try this: X-Forwarded-Host: https://t.co/c9BKdXEdW3,
https://t.co/TIqwqgLYcJ • CDN: Reads first → Allows ✅ • App: Reads last → Injects ⚠️
0
23
135
Let's talk manual testing for IDORs. I have pasted a payload from a redacted T-Mobile API below. It does not have a bug (that I am aware of) on it, I want to use this for educational purposes because its a great teaching opportunity. A: This is a URI path parameter representing
13
148
750
A human being is nothing but a state of mind — when it becomes distressed, he becomes incapable of acting in matters of this world or the Hereafter. That’s why the Prophet ﷺ used to seek refuge from anxiety, sorrow, and grief every morning and evening.
1
2
21
We live in a World where people profit from beginners by selling courses, even selling PortSwigger lab solutions and nobody talks about it. If someone publishes free, real-world demonstrations rather than lab walkthroughs, it provokes criticism. At least my video helped many to
42
34
531
For those of you still using `nc -lp 1337` like me (a dumbass) - allow me to introduce you to `nc -klp 1337`...
15
48
426
I usually brute-force API paths with "Debug":true parameter and often it leads to reveal internal debug info to reverse proxies exposing API secrets and tokens.
13
87
966
BypaXSS - The Brute Art of Bypass Slides from the @BugBountyArg @ekoparty 2025 talk #XSS #Bypass #WebAppSec
https://t.co/0s3d4ErQdx
docs.google.com
BypaXSS The Brute Art of Bypass
3
53
185
Don't Skip Blackbox Logical Deduction Day! Keep a look out for any mentions of headers that include -id such as x-request-id. Add them to requests to see if their values are reflected.
1
9
71
Ever skipped a target after seeing “Welcome to nginx”? You might’ve missed a hidden app. In my latest video, I show how proper recon can turn that default page into real bounty opportunities. Watch the breakdown Video Link: https://t.co/g6tkenFBiz
4
60
365
Interested in Spring Boot Actuators in the context of bug bounty hunting? I wrote something - nothing new - just some insights ;) Article: https://t.co/aki2AaEZER Retweet appreciated! Dont expect 0days or some fancy magic.
dsecured.com
Practical guide to Java/Spring Boot pentests: Discovering Actuator, header and path bypasses, heap dump analysis, and countermeasures.
5
75
255
I’ve been hunting on H1 for almost 3 years, ranked #18 in 2025, have always tried to contribute positively to the hacker community. I’ve earned around $500k in bounties and was on the road to $1M. Yet I don’t even have HSM, and I feel I haven’t been recognized as I should 1/4
@Hacker0x01 is now banning people without explanation or providing how the terms and conditions were violated. While other platforms are advancing, H1 revolutionary new vision is to track hackers on social media, make assumptions and ban them without a real proof.
40
131
797
Yesterday it was me and @GodfatherOrwa. Today, HackerOne banned @YShahinzadeh — one of the most talented hackers on the platform. Tomorrow it could be any of us… unless you’re a big content creator with a huge following. HackerOne grew because of hackers. We deserve to be
11
17
279
Ever stumbled on an AEM box and thought “ok… now what?” 😏 We dropped hopgoblin — new research + tool XXE, SSRF, XSS & more (CVE-2025-54251, -54249, -54252, -54250/47/48/46). 👀 time for some crits eh? 👉 https://t.co/mt7Hy0L8DN
3
38
227
https://t.co/Obc7lYSirT Super-nice technique! Something refreshing to see in the AI-everything era :)
3
25
158