- Disclosed.
- Posts
- Disclosed. June 23, 2025: Spaceraccoon's Book Pre-Order, AssetNote's Novel SSRF Technique, YesWeCaido Integration, and more.
Disclosed. June 23, 2025: Spaceraccoon's Book Pre-Order, AssetNote's Novel SSRF Technique, YesWeCaido Integration, and more.
The bug bounty world, curated.
Harley Kimball (@infinitelogins)
June 23, 2025
Welcome to Disclosed.
Each week, 3 readers will win a 1-month PentesterLab Pro license, completely free. Refer a friend to the newsletter to enter.
Shout out to this week’s winners (I will email you):
4k41
fjquirogap200105
sarazf3
PentesterLab is one of the best hands-on platforms for learning web security, with real-world vulnerabilities, private labs, and practical exercises trusted by professionals and bug bounty hunters worldwide.
Huge thanks to PentesterLab for sponsoring this giveaway and supporting the Disclosed. community. ❤️
Hey there! I hope you’re staying safe out there, and that this post gives you a few minutes of escape from everything going on in the world right now.
If you're eyeing a PentesterLab license, definitely jump into the giveaway. There are not many entries so far, so your odds are pretty great.
Things are picking up at work and over at Bug Bounty Village. Big thanks to Critical Thinking for the shout-out this week. If you haven’t checked out their pod yet, it’s worth a listen.
A lot’s happening in the bug bounty world, so let’s dive in.
In This Issue
“From Day Zero to Zero Day” Pre-Order Available [🔗 Tweet]
by @spaceraccoonsec
From Day Zero to Zero Day by Eugene "Spaceraccoon" Lim is a hands-on guide that teaches practical vulnerability research techniques, including code review, reverse engineering, fuzzing, and exploit development. Designed for both beginners and experienced researchers, it walks readers through real-world examples to help them identify, analyze, and report security vulnerabilities across various platforms.
Pre-order →
YesWeHack & Caido Introduce YesWeCaido [🔗 Tweet]
by @yeswehack
YesWeHack has introduced a new plugin for Caido that facilitates easier management and addition of bug bounty targets, streamlining the workflow for security researchers.
Read the full tweet →
📢 Do you use Caido? A new plugin from YesWeHack has just landed in the @CaidoIO plugin store that enables you to access all your #BugBounty Programs within Caido and add targets to your scopes tab with a single mouse click 🔥👇
— YesWeHack ⠵ (@yeswehack)
3:00 PM • Jun 17, 2025
Novel SSRF Technique Involving HTTP Redirect Loops
SearchLight Cyber (Shubham Shah)
The technique leverages open‑redirect loops to bypass SSRF defenses by chaining trusted redirects until eventually hitting a malicious destination, effectively evading filters that only check initial URLs. Attackers set up a benign-looking domain that redirects internally behind the scenes, allowing them to stealthily reach internal or restricted services via repeated, allowed redirections.
Read more →
Have something you want to Spotlight? Tell me.
HackerOne Welcomes 30 New Brand Ambassadors Worldwide [🔗 Tweet]
by @Hacker0x01
HackerOne is excited to welcome 30 new Brand Ambassadors from 8 new locations, promoting collaboration and knowledge sharing among security researchers.
Read the full tweet →
🌍 New clubs, new faces—same mission: bring security researchers together to share knowledge, hack collectively, and make the digital world safer for everyone.
We’re welcoming 30 new HackerOne Brand Ambassadors and planting flags in 8 fresh locations—Azerbaijan, Belgium,
— HackerOne (@Hacker0x01)
6:25 PM • Jun 17, 2025
HackerOne crowns Japz as Ambassador of the Quarter [🔗 Tweet]
by @Hacker0x01
During HackerOne's quarterly town hall, Brand Ambassadors shared achievements and acknowledged a leading security researcher for their contributions.
Read the full tweet →
At our latest quarterly town hall meeting, the HackerOne team and Brand Ambassadors from around the world came together to share wins and showcase the outstanding work driving the next generation of security researchers.
This quarter we’re honoring a standout leader who goes
— HackerOne (@Hacker0x01)
8:54 AM • Jun 17, 2025
OVHcloud Launches Limited-Time Bug Bounty Challenge [🔗 Tweet]
by @yeswehack
OVHcloud has introduced a limited-time bug bounty challenge via YesWeHack, providing increased rewards for critical and high-severity vulnerabilities.
Read the full tweet →
🚨 New @OVHcloud hunting opportunity on @yeswehack!
OVHcloud has launched a time-limited #BugBounty challenge focused on a specific scope, with boosted rewards:
💰 +25% for criticals
⚡ +50% for high-severity vulnerabilitiesDon’t miss the opportunity to dig into a fresh target
— YesWeHack ⠵ (@yeswehack)
12:02 PM • Jun 20, 2025
CoinDesk Data Launches New Bugcrowd API Program [🔗 Tweet]
by @Bugcrowd
CoinDesk Data has launched its API program on Bugcrowd, inviting researchers to identify vulnerabilities in the system.
Read the full tweet →
New target alert 🚧
CoinDesk Data just made their API program public on Bugcrowd!
🧪 Go test it: bugcrowd.com/engagements/CC…
— bugcrowd (@Bugcrowd)
4:37 PM • Jun 16, 2025
NiceHash Doubles Rewards for Critical Bug Findings [🔗 Tweet]
by @Hacker0x01
From June 22 through July, NiceHash is offering doubled rewards for findings of critical and high vulnerabilities, encouraging bounty hunters to get involved.
Read the full tweet →
Bounty hunters, get ready! Sunday (22 June) through July, NiceHash is doubling rewards for critical and high findings.
Get in on the action: bit.ly/4mB9rnX
— HackerOne (@Hacker0x01)
9:36 PM • Jun 20, 2025
Join Intigriti's Challenge for €400 in Prizes [🔗 Tweet]
by @intigriti
Intigriti announces a capture the flag challenge with a prize pool of €400 for participants, offering tips through tweet engagements.
Read the full tweet →
⏰ It's CHALLENGE O'CLOCK!
👉 Capture the flag before Thursday the 26th of June
👉 Win €400 in SWAG prizes
👉 We'll release a tip for every 100 likes on this tweetThanks @Toogidog for the challenge 👇
challenge-0625.intigriti.io
— Intigriti (@intigriti)
11:52 AM • Jun 19, 2025
Bug Bounty Village Sponsor & Speaker Announcements
by @BugBountyDEFCON
Sponsor and speaker lineups are starting to be announced on BBV’s Twitter page, with Jason Haddix listed as the keynote speaker.
Read the full tweet →
HackerOne is Hiring Product Security Analysts in Pune [🔗 Tweet]
by HackerOne
HackerOne is hiring Product Security Analysts for an in-office, shift-based role in Pune. Recruiter calls begin the week of July 7, with tech rounds from July 14–25 and a challenge scheduled between July 28 and August 1.
Apply →
Did I miss an important update? Tell me.
Find Exposed Secrets & Maximize Bug Bounty Rewards [📁 Tool]
by @arshadkazmi42
iScan.today is a scanning tool for bug bounty hunters, revealing exposed secrets across platforms. The post also shares success stories of substantial rewards from identified vulnerabilities.
Read more →
Tiny XSS Payloads [📓 Blog]
by @terjanq
This post compiles a list of compact XSS payloads applicable across various contexts, including instances with restricted inline scripts.
Read more →
GitHub - musana/CF-Hero: CF-Hero is a reconnaissance tool that uses multiple data sources to discover the origin IP addresses of Cloudflare-protected web applications [📁 Tool]
by musana
CF-Hero is designed for uncovering origin IP addresses behind Cloudflare, employing diverse reconnaissance methods and intelligence sources.
View the tool →
Introducing a Bug Bounty Progress Tracker [🔗 Tweet]
by @payloadartist
This new bug bounty progress tracker app focuses on privacy and offline use, providing a straightforward approach without data collection.
Read the full tweet →
Vibe coded a minimal #bugbounty progress tracker app
It helps
→ Break down the complex hunting methodology, inspired by @Jhaddix's TBHM, into simple steps
→ Avoids missing test cases
→ Pro-privacy: Offline, no data collected
→ Uses less memory
→ Stores data in .YAML files— payloadartist (@payloadartist)
2:30 PM • Jun 21, 2025
GitHub - KingOfBugbounty/enumrust: Subdomain Enumerator and Simple Crawler [📁 Tool]
by KingOfBugbounty
The enumRust framework is designed for robust domain analysis, offering features like subdomain enumeration and vulnerability detection using tools such as subfinder and httpx.
View the tool →
GitHub - nullfuzz-pentest/shodan-dorks: Shodan Dorks [📁 Tool]
by nullfuzz-pentest
This GitHub repository features specialized search queries for Shodan, assisting security researchers in spotting vulnerabilities across internet-connected devices.
View the tool →
Fast Tool for Large-Scale Subdomain Discovery [🔗 Tweet]
by @yz9yt
This author shares a new tool for quick large-scale subdomain discovery, boosting efficiency for bug bounty hunters.
Read the full tweet →
Introducing Exploit Generator Plugin for Easy PoC Creation [🔗 Tweet]
by @CaidoIO
A new 'Exploit Generator' plugin streamlines the creation of executable proof-of-concept code from intercepted requests, providing significant time-saving benefits.
Read the full tweet →
Have a favorite tool? Tell me.
Bypassing Domain Validation for Internal App Access [[📓Blog]
by @yppip
A security researcher discovered a vulnerability in AWS Cognito’s email domain validation where a misconfigured regex pattern (domain\.com) mistakenly allowed unauthorized domains like maliciousdomain.com to bypass authentication.
Read more →
How a Simple Logic Flaw Let Me Steal Any User’s Account [📓 Blog]
by Abdelkader Mouaz (Hamzadzworm)
Details a logic flaw that permitted account takeover by leveraging username patterns and stored XSS vulnerabilities. The post illustrates the significance of recognizing seemingly minor features' impact on security.
Read more →
From Login Page to Full Admin Panel Takeover [📓 Blog]
by rood
This write-up recounts the author's journey from identifying a vulnerability on a login page to gaining full admin privileges by exploiting misconfigured HTTP redirects and a privilege escalation technique, highlighting the importance of thorough reconnaissance.
Read more →
Did I miss an important update? Tell me.
Drama, PDF as JS Chaos, Bounty Profile Apps, And More (Ep. 127)
by Critical Thinking Podcast
Justin and Joel cover standout exploits and bug bounty trends, including new tools like Newtowner for regional IP bypass detection, advanced LLM exfiltration tricks using markdown, and a breakdown of what it really takes to go full-time in bug bounty hunting based on payout math.
How Hackers Take Over Accounts [🎥 Video]
by DeadOverflow
This video explores an account takeover vulnerability stemming from improper handling of password reset requests, detailing how attackers exploit email parameter pollution. It emphasizes the financial impact of such vulnerabilities, using a real incident involving GitLab as a case study.
Watch video →
Grafana CVE-2025-4123: How XSS + Open Redirect Led to Full Account Takeover [🎥 Video]
by Medusa
The video dissects CVE-2025-4123 in Grafana, explaining how an open redirect vulnerability can be exploited through SSRF and stored XSS, culminating in full account takeover.
Watch video →
Bug Bounty Tip: How To Know When You Are Ready To Find Bugs [🎥 Video]
by ChillingAndTalking
This video discusses determining readiness for bug hunting, focusing on understanding business logic. It demonstrates how API call parameter manipulation can reveal vulnerabilities using a practical example from Yelp.
Watch video →
Did I miss something? Tell me.
Building LLM Agents for AI Security Challenges [🔗 Tweet]
by @Bugcrowd
This tweet highlights a blog post focused on creating an LLM agent for tackling AI security challenges, covering essential techniques such as prompt injection.
Read the full tweet →
Is CSRF Dead? Discovering and Exploiting CSRF vulnerabilities [📓 Blog]
by Ali Hussainzada
This blog post investigates the continuation of CSRF vulnerabilities in modern web applications, detailing exploitation techniques and the ongoing relevance of CSRF as a threat vector.
Read more →
Automation for Smarter Bug Hunting [📓 Blog]
by Monika Sharma
This article emphasizes the role of automation and AI in modern bug hunting, showcasing how tools like Subfinder and Amass, combined with AI, can boost efficiency.
Read more →
How a PDF File Can Expose Your Application’s Real IP (Even with CDN and WAF) [📓 Blog]
by Vedgeta
This post examines how applications processing PDFs can inadvertently expose real IP addresses, explaining the exploitation of this vulnerability through crafted PDF files.
Read more →
Detecting and Exploiting Business Logic Flaws in Real Web Apps [📓 Blog]
by Karthikeyan Nagaraj
This article discusses the critical significance of business logic flaws and their potential to exploit intended application behaviors, underlining the importance of manual exploration in penetration testing.
Read more →
Did I miss something? Tell me.
Effective Prompt Injection Techniques for AI Models [🔗 Tweet]
by Critical Thinking - Bug Bounty Podcast
This tweet provides practical prompt formats that enhance prompt injection techniques based on AI model training data.
Read the full tweet →
Prompt injection works a lot better if your message sounds like the data the model was trained on.
Some prompt formats that have worked in real bugs:
— Critical Thinking - Bug Bounty Podcast (@ctbbpodcast)
4:30 PM • Jun 21, 2025
XSS Filter Bypass Technique Using Blacklisted Symbols [🔗 Tweet]
by Anton
This tweet describes a technique to bypass XSS filters when blacklisted symbols are present in HTML attributes, providing corresponding payloads.
Read the full tweet →
Bug Bounty Tip
XSS Filter Bypass - Blacklisted Symbols
When XSS point in HTML attribute has blacklisted symbols - try these payloads
— Anton (@therceman)
6:29 PM • Jun 21, 2025
Using cURL to Confirm RCE with Timing Checks [🔗 Tweet]
by HackingHub
This tweet details a method for confirming Remote Code Execution vulnerabilities by analyzing server response times with cURL.
Read the full tweet →
Think you've found an RCE?
Use the `time` command with cURL and a `sleep 5` payload to see how long the server takes to respond.
If it takes longer than 5 seconds then may have confirmed an RCE! 🚀
— HackingHub (@hackinghub_io)
12:01 AM • Jun 22, 2025
Techniques to Discover Hidden Parameters for Vulnerabilities [🔗 Tweet]
by Pratik Dabhi
This tweet outlines effective methodologies for uncovering hidden parameters that could lead to identifying security vulnerabilities.
Read the full tweet →
🔍 How to Discover Hidden Parameters
• Use tools like ParamSpider & arjun
• Hunt inside JS files for clues
• Try common params: ?debug=1, ?admin=true
• Leverage Burp’s Param Miner
• Use gf patterns for juicy vuln params
🎯 Hidden params = hidden bugs. Go find them!— Pratik Dabhi (@impratikdabhi)
12:10 PM • Jun 20, 2025
Exploiting LFI Vulnerability in CustomImages.aspx Script [🔗 Tweet]
by N$
The tweet discusses a Local File Inclusion (LFI) vulnerability within a script responsible for fetching custom images from a server, detailing the exploitation payload.
Read the full tweet →
So how does this work? There’s a login page that fetches custom images—like the company logo, from the server using a script called CustomImages.aspx. This script is vulnerable to LFI. When accessed directly, the script doesn’t display anything. But if you use an LFI payload in
— N$ (@nav1n0x)
6:26 PM • Jun 20, 2025
Submit High Severity Bugs Promptly to Avoid Missed Rewards [🔗 Tweet]
by N$
The author emphasizes the urgency of reporting high-severity bugs immediately, sharing insights from personal experiences related to bounty losses.
Read the full tweet →
Reminder: Don’t wait to report a high severity bug to escalte it. Just submit it—you can try to escalate the sevearity later.
I lost a $5,000 bounty because I waited 2 hours running SQLMap... someone else reported it as blind sqli first and bagged the reward. #BugBounty— N$ (@nav1n0x)
7:10 AM • Jun 17, 2025
Bypassing CSP Restrictions with JSONP Endpoints [🔗 Tweet]
by Intigriti
This tweet discusses techniques for bypassing Content Security Policy (CSP) using JSONP endpoints, relevant for evading XSS protections.
Read the full tweet →
Is your XSS held back by script-src CSP policy?
Try one of the following JSONP endpoints to bypass CSP! 👇
— Intigriti (@intigriti)
9:06 AM • Jun 18, 2025
Remembering CSS Exfiltration in HTML Injection Testing [🔗 Tweet]
by André Baptista
The tweet highlights the necessity of testing for CSS exfiltration during HTML injection assessments, mentioning a specific tool that assists researchers in this regard.
Read the full tweet →
I like to bypass XSS filters and sanitizers, so I keep forgetting to test for CSS exfiltration when I have HTML injection.
This reminded me of the sic tool by @d0nutptr from a Singapore LHE, but there's also a cool list from @PortSwigger 👇
— André Baptista (@0xacb)
2:48 PM • Jun 16, 2025
Exploiting SVG Execution Bugs in Chrome and Safari [🔗 Tweet]
by Gareth Heyes
This user shares a demonstration of executing SVG vulnerabilities across Chrome and Safari, noting the discrepancies in how these browsers process SVG content.
Read the full tweet →
Here I use a Hacking room in Hackvertor to find bugs in Chrome and Safari. I basically connect Firefox, Safari and Chrome and try a SVG vector. Firefox escapes correctly whereas Chrome and Safari don't. Chrome executes the alert and Safari goes red to indicate it did too.
— Gareth Heyes \u2028 (@garethheyes)
11:21 AM • Jun 17, 2025
Leveraging CORS Misconfigurations for Internal Access PoCs [🔗 Tweet]
by Intigriti
This tweet elaborates on exploiting CORS misconfigurations when ACAC is set to 'false', crafting proof of concept attacks on internal hosts reachable only by the victim.
Read the full tweet →
💡 Quick Tip!
Found a potential CORS misconfiguration issue, but ACAC is set to 'false'?
You can still prove impact by crafting a proof of concept intended to reach internal hosts that only your victim can reach! 🤠
Example 👇
— Intigriti (@intigriti)
9:05 AM • Jun 14, 2025
Did I miss something? Tell me.
Did you like this week's drop?Please share feedback. |
Because Disclosure Matters: This newsletter was produced with the assistance of AI. While I strive for accuracy and quality, not all content has been independently vetted or fact-checked. Please allow for a reasonable margin of error. The views expressed are my own and do not reflect those of my employer.