Hey Fediverse. Can you get @zaproxy to 15k ⭐️?

#OpenSource #DAST #AppSec #WebAppSec #ITSec #CyberSec #PenTest #BugBountyTips

Current Stars 14500

https://github.com/zaproxy/zaproxy

Using #owasp tool Amass 5.0.0 for recon. Hope this helps!

https://medium.com/@marduk.i.am/amass-5-0-0-usage-for-recon-8041bc727480

#bugbountytips #bugbounty #CyberSecurity #resonnaissance #EthicalHacking

The payload contains '|/???/\b**\h,' which is meant to confuse WAF rules. Unusual characters are a common evasion tactic.

image by: win3zz

#cybersec #BugBountytips #infosec

Latest #Portswigger SQL lab write-up.

https://medium.com/@marduk.i.am/visible-error-based-sql-injection-2deb4b77ac64

#BugBounty #bugbountytips #SQL #SQLI #injection #informationsecurity #PortswiggerLabs

Latest #Portswigger lab write-up.

#BugBounty #bugbountytips #SQL #SQLI #injection #informationsecurity #PortswiggerLabs

https://medium.com/@marduk.i.am/blind-sql-injection-with-conditional-errors-7850fe9bc73b

this is your reminder that if you're using Burp for web app testing, you should be using an extension that lets you use variables in your outgoing requests. variables functionality gives you a single place to update credential, token, and identifier values which improves productivity and reduces false positives. there are a few extensions that provide this functionality and I recommend my extension, Burp Variables, which is purpose-built for it: https://github.com/0xceba/burp_variables

#burp #burpsuite #burp_suite #pentesting #pentest #bugbounty #bugbountytips #hacking

 Introducing KeyChecker – a CLI to fingerprint SSH private keys & map them to Git hosting accounts.

We have been talking about this in our classes for a long while, finally automation is present now.

  Blog: https://cyfinoid.com/automating-a-known-weakness-introducing-keychecker/
 PyPI: https://pypi.org/project/keychecker/

#bugbountytips #ssh #git #github #infosec #postexploitation

Looking for JavaScript files? Look no further!

https://medium.com/@marduk.i.am/recon-methodology-javascript-file-hunting-254127ecd211

#JSHunting #HiddenEndpoints #BugBountyTips #EthicalHacking

Are you located in the US/EU? Passionate about #appsec? Maybe you follow #bugbountytips or are an avid #ctf player and are ready to take the next step. If so, we're looking for our next #intern, so consider applying today - https://hackers.doyensec.com.
#doyensec #security #internship #bugbounty

Windows Device Names Still Allow Path Traversal in UNC Paths After CVE-2025-27210 Fix
https://hackerone.com/reports/3255707

#bugbounty #bugbountytips #bugbountytip

Automate Your Recon: One API to Run All Your Pentesting Tools Instantly
https://infosecwriteups.com/automate-your-recon-one-api-to-run-all-your-pentesting-tools-instantly-e1502862c2c7?source=rss------bug_bounty-5

#bugbounty #bugbountytips #bugbountytip

📁🫷🚧Can't control the extension of a file upload, but you want an XSS?
Read more on how we overcame this obstacle to further exploit entire organizations using Fortinet endpoint protection:

https://www.sonarsource.com/blog/caught-in-the-fortinet-how-attackers-can-exploit-forticlient-to-compromise-organizations-2-3?utm_medium=social&utm_source=mastodon&utm_campaign=research&utm_content=blog-caught-in-the-fortinet-260625-&utm_term=&s_category=Organic&s_source=Social%20Media&s_origin=social

#appsec #vulnerability #bugbountytips

What’s your go-to ZAP feature?

🤔 Is it:
A) Universal “yes” 😀
B) Encode/Decode/Hash (scriptable)
C) Fuzzer
D) Scripting
E) API Import
F) Active Scan

👇 Drop your answer + why. Let’s learn from each other. #CyberSecurity #zaproxy #BugBountyTips

#bugbountytips #memes #funny #cybersecurity

🚨 Want to start learning ethical web hacking for FREE?

🎯 In this video, I break down 3 websites that offer hands-on labs, structured paths, and gamified learning - perfect for beginners in web application penetration testing and bug bounty!

🎓 Here’s who made the list:

✅ PortSwigger Web Security Academy
Learn real-world web vulnerabilities with interactive labs

✅ TryHackMe
Gamified challenges + guided learning paths

✅ Hack The Box
Academy modules, practice labs & certifications — all linked together

But I didn’t stop at listing them.

💡 I shared my professional take on:
1️⃣ Their unique strengths
2️⃣ What makes each platform great for beginners
3️⃣ And where they could improve to become even better

This isn't just another list — they are insights from an active bug bounty hunter from Singapore 🇸🇬😊

📺 Watch here: https://www.youtube.com/watch?v=_LrpMiAD8rg
📌 Timestamps and useful links in the video description

👇 Comment your favorite FREE hacking resources — let's share and help each other grow!

#BugBounty #BugBountyTips #CyberSecurity #EthicalHacking #TryHackMe #HackTheBox #PortSwigger

👋 If you're into bug bounty or just starting your ethical hacking journey, this might help.

I made a step-by-step video on how to set up Kali Linux on Docker — with a twist:
✅ Install and run Kali Linux in a Docker container
✅ Avoid the "it works on my machine" problem
✅ Create a custom Kali Linux Docker image
✅ Set up a file share between host and container

💡 This is my go-to method when I want something lightweight, fast, and repeatable. It's especially helpful if you're mentoring others or creating walkthroughs, since the environment is always consistent.

🎥 Here's the full tutorial: https://www.youtube.com/watch?v=JmF628xGk1A

Let me know if you have used Docker in your hacking workflow — or if you have a better setup!

#kali #kalilinux #ethicalhacking #bugbounty #bugbountytips #docker

My methodology for finding subdomains. I hope it helps!

https://medium.com/@marduk.i.am/recon-methodology-subdomain-enumeration-0e0493001a03

#bugbountytips #bugbounty #CyberSecurity #resonnaissance #EthicalHacking

Latest lab write-up. Came out a bit long but very informative.

https://medium.com/@marduk.i.am/blind-sql-injection-with-conditional-responses-46ee90b5f2c0

#BugBounty #bugbountytips #SQL #SQLI #injection #informationsecurity #Portswigger

❓ How can bug bounty programs …
1️⃣ Keep hackers engaged in the long term?
2️⃣ Effectively increase the amount of good quality reports that you receive?
3️⃣ Stand out from competition and be the program that hackers choose to hack on?

📽️ In this video, I covered 5 tips that can allow any bug bounty programs to stand out from the rest. If you implement them, you can expect an increased participation from skilled and good hackers (or security researchers) and a consistent stream of valuable vulnerability submissions! Most importantly, are you ready to handle the resulting high quality reports? 😊

🫵 Hackers, if these tips hit the mark, please share them with your favourite bug bounty programs! Your input could lead to improvements like loyalty programs and direct report submissions (skip platform analysts or triage teams). Let's level up the bug bounty landscape together! 😎

⬇️⬇️⬇️

https://youtu.be/msr-7ZtmLdE

#bugbounty #bugbountytips #togetherwehitharder #hackerone #ittakesacrowd #outhackthemall #bugcrowd #bugcrowdtipjar #hackwithintigriti #intigriti #yeswehack #yeswerhackers #ethicalhacking #whitehat

Quickest way to reliably find business logic flaws is to change your mindset:

You're not looking for bugs, you're hunting for assumptions.

Somewhere out there, a dev assumed no one would ever do *that*. So be the first person to do it.

#bugbountytips #cybersecurity