- Disclosed.
- Posts
- Disclosed. June 8, 2025: Shubs Triumphs in Sydney, NahamCon Talks Released, and Black Hat’s Youngest Star
Disclosed. June 8, 2025: Shubs Triumphs in Sydney, NahamCon Talks Released, and Black Hat’s Youngest Star
The bug bounty world, curated.
Harley Kimball (@infinitelogins)
June 08, 2025
Welcome to Disclosed.
I’m excited to launch something special for the “Disclosed.” community:
Each week, 3 readers will win a 1-month PentesterLab Pro license, completely free.
PentesterLab is one of the best hands-on platforms for learning web security, with real-world vulnerabilities, private labs, and practical exercises trusted by professionals and bug bounty hunters worldwide.
Huge thanks to PentesterLab for sponsoring this giveaway and supporting the Disclosed. community. ❤️
Hey there! HackerOne had a live hacking event in Sydney this week, and while I’m sad I wasn’t able to join this time, I hope everybody traveling makes it back home safely and that those onsite had a great time. For the rest of us, hope your week was full of lots of bounties and learning. Significant progress is being made on Bug Bounty Village stuff. Stay tuned for big announcements soon!
Anyway, let’s dive in.
In This Issue
Shubs Wins Salesforce Live Hacking Event H16102 in Sydney [🔗 Tweet]
by HackerOne
Shubs wins his third MVH award at the Salesforce live hacking event H1-6102 in Sydney Australia.
View the tweet →
I won the Most Valuable Hacker award for the Salesforce H1-6102 live hacking event in Sydney (my hometown)! I enjoyed working with some very talented hackers, including @ryotkak, @Geluchat, and @kevin_mizu. This is my third MVH award, and I'm grateful to be able to compete.
— shubs (@infosec_au)
12:03 PM • Jun 6, 2025
Free Access to All Talks from NahamCon 2025 [🔗 Tweet]
by Ben Sadeghipour (Nahamsec)
All talks from NahamCon 2025 are now accessible for free on their website, serving as a valuable resource of discussions and webinars for researchers.
Read the full tweet →
In case you missed it - We released all of the talks from #nahamcon2025. You can access them all for free on our website.
— Ben Sadeghipour (@NahamSec)
5:20 PM • Jun 5, 2025
Meet the Youngest Black Hat Speaker: Ruikai Peng [🔗 Tweet]
by Bugcrowd
This tweet showcases Ruikai Peng, a young security researcher known for discovering critical RCEs and for his significant role as a speaker at Black Hat USA.
View the tweet →
At just 15, Ruikai Peng has already contributed 25 CVEs, uncovered critical RCEs in major ML frameworks, and earned a spot as the youngest speaker in Black Hat USA history. 🤯🤯
Get to know @retr0reg and his incredible work: bugcrowd.com/blog/hacker-sp…
— bugcrowd (@Bugcrowd)
3:17 PM • Jun 5, 2025
Have something you want to Spotlight? Tell me.
Double Bounties for Sensitive Data Reports on Trip.com’s BBP [🔗 Tweet]
by HackerOne
A campaign is currently underway offering double rewards for valid reports focused on sensitive data exposure, urging researchers to prioritize this critical vulnerability type.
View the tweet →
Double Bounties for Sensitive Data Exposure!
Hey researchers,
We’re running a limited-time campaign to shine a light on something that really matters: Sensitive Data Exposure. For this campaign, we’re offering 2x the usual rewards for valid reports in this category.Because
— HackerOne (@Hacker0x01)
3:24 PM • Jun 5, 2025
Pwnbox Integrates with CaidoIO for Enhanced Hacking [🔗 Tweet]
by Hack The Box
This tweet announces the integration of CaidoIO with Pwnbox, enhancing in-browser hacking capabilities with a lightweight proxy for web testing.
View the tweet →
From intercepts to plugins, it’s all in the box 😌
@CaidoIO is now integrated with #Pwnbox, our full-featured, in-browser #hacking environment powered by @ParrotSec. Enjoy seamless #web testing with a lightweight, powerful proxy inside your browser. Read more:— Hack The Box (@hackthebox_eu)
1:19 PM • Jun 2, 2025
Recap of Meta’s Bug Bounty Researcher Conference [🔗 Tweet]
by Meta Bug Bounty
This tweet concludes the MBBRC2025 event in Tokyo with a recap video and introduces the Hacker Plus loyalty program for upcoming participation.
View the tweet →
That's a wrap on #MBBRC2025 in Tokyo! Thanks to our top researchers for joining us.
Watch the recap video on YouTube:
If you're interested in participating next year, check out our Hacker Plus loyalty program: bugbounty.meta.com/hackerplus/
— Meta Bug Bounty (@metabugbounty)
9:52 AM • Jun 5, 2025
Livestream Series on Learning Vulnerabilities with Dojo [🔗 Tweet]
by YesWeHack
Announcing a livestream series tailored for Spanish-speaking hackers, focusing on vulnerability learning through practical training modules.
View the tweet →
📣 Hey Spanish-speaking hackers! We’re teaming up with @soyel_mago for a livestream series!
🎬 Kicking off tonight at 10:30PM GMT-3, the first episode will dive into how you can learn new vulnerabilities using our #Dojo training modules.
Tune in live 👇
— YesWeHack ⠵ (@yeswehack)
2:08 PM • Jun 4, 2025
Did I miss an important update? Tell me.
Tool Release: Newtowner to Bypass IP Whitelisting Issues [🔗 Tweet]
by shubs
This tweet discusses the Newtowner tool designed to manipulate network routing for testing IP whitelisting vulnerabilities, successfully bypassed by the author’s team.
Read the full tweet →
IP whitelisting is fundamentally broken. At @assetnote, we've successfully bypassed network controls by routing traffic through a specific location (cloud provider, geo-location). Today, we're releasing Newtowner, to help test for this issue:
— shubs (@infosec_au)
2:19 AM • Jun 5, 2025
Menaxa | Your Threat Command Center [📓 Blog]
by MENAXA
MENAXA introduces a comprehensive security checklist consisting of 398 items to safeguard web applications and smart contracts against common attacks. It includes threat intelligence tools for monitoring and vulnerability tracking.
Read more →
New HTTP Request Minimization Plugin 'Squash' Released [🔗 Tweet]
by Caido
'Squash', a new plugin aimed at minimizing HTTP requests to streamline troubleshooting, has just been released, allowing researchers to focus on critical issues.
View the tweet →
🚀New plugin in the Caido Store!
Introducing "Squash" by @Evan_Connelly and @Rhynorater
Minimize HTTP Requests to remove the noise and focus on what matters.
Check out more details: github.com/evanconnelly/s…
— Caido (@CaidoIO)
12:00 PM • Jun 5, 2025
Token Tailor Launches for Enhanced JWT Management [🔗 Tweet]
by BApp Store
Token Tailor, a new tool on the BApp Store, automates the renewal of JWT and Basic tokens with customizable flows and features for traffic monitoring.
Read the full tweet →
Token Tailor - now on the BApp Store!
🔁 Auto-renews JWT & Basic tokens
🛠 Define custom flows to fetch fresh tokens
📦 Tool-specific or all-traffic monitoring
⏱ Triggers on expiry via status, body, or text
📤 Import/export configs for reuse— BApp Store (@BApp_Store)
4:52 PM • Jun 5, 2025
New Discord Bot for Bug Bounty Tools and Stats [🔗 Tweet]
by rohsec
A new Discord bot has been introduced, enabling users to access in-scope domains, Burp Suite configurations, and hacker statistics directly within Discord.
View the tweet →
🚨 Attention Hackers !! 🚨
Just ported my terminal site (term.rohsec.com) into a Discord bot 🤖⚡Now you can get inscope domains, burp configs, hacker stats etc right inside Discord !!
Live in The Bug Bounty Club → discord.gg/V2u26gbABt
#bugbounty#bugbountytips
— rohsec (@rohsec)
10:40 AM • Jun 1, 2025
New Punycode Converter Tool for Bug Bounty Hunters [🔗 Tweet]
by MorboAalst - Kitty
This tweet highlights a Punycode converter tool that lets users create various input versions for a name, facilitating vulnerability testing.
View the tweet →
I have created a Punycode converter right here:
hexagonal-humble-damselfly.glitch.meJust put the name you want to convert. Click a letter you want to change and you'll get multiple input versions.
Click generate and copy the result.
#bugbounty#EthicalHacking
— MorboAalst - Kitty (@MorboAalst)
4:13 PM • Jun 2, 2025
Have a favorite tool? Tell me.
Lichess | Report #3165242 - Server-Side Request Forgery (SSRF) via Game Export API | HackerOne [📓 Report]
by oblivionsage
This report details a critical SSRF vulnerability in Lichess's game export API, where an unvalidated 'players' parameter allows attackers to send requests to arbitrary URLs. Mitigation strategies are suggested, ultimately resolving the issue with complete feature removal.
Read more →
Mozilla | Report #3154983 - IDOR: Account Deletion via Session Misbinding – Attacker Can Delete Victim Account | HackerOne [📓 Report]
by z3phyrus
The report describes an IDOR vulnerability in the Firefox Accounts API that enables an authenticated attacker to delete accounts by manipulating a request. It emphasizes secure authorization checks, especially for SSO-created accounts.
Read more →
How I Found a $9,762 Bug with Simple Subdomain Fuzzing | by Ibtissam hammadi | Jun, 2025 | Medium [📓 Blog]
by Ibtissam Hammadi
This post recounts the author's experience discovering a critical vulnerability through subdomain fuzzing using ffuf. It highlights the command line usage and the importance of not overlooking seemingly insignificant subdomains.
Read more →
Did I miss an important update? Tell me.
#NahamCon2025 Day 1 Keynote: Hacking, Prompt Engineering, and the Future of Pentesting with AI [🎥 Video]
by NahamSec
VOD of the Keynote and kick off of NahamCon2025.
Watch video →
Bug Bounty: Exploiting AWS Cloud WebApps with SSRF [🎥 Video]
by ethicalPap_
This video showcases exploiting the AWS Instance Metadata Service (IMDS) for SSRF attacks, detailing setup of a vulnerable EC2 instance and discussing credential querying techniques.
Watch video →
How to Win Live Hacking Events (Ep. 125) [🎥 Video]
by Critical Thinking - Bug Bounty Podcast
Episode 125 covers strategies for succeeding at live hacking events, sharing insights from experience to help participants maximize their impact.
Watch video →
Mastering OAuth 2.0 Flows: Complete Guide + Security Testing Tips (Okta OAuth Playground) [🎥 Video]
by Medusa
This video comprehensively explores OAuth 2.0 flows and their common vulnerabilities, offering practical testing techniques and emphasizing security best practices for ethical hackers.
Watch video →
Beginner's Guide to OverTheWire Bandit Walkthrough Videos [🎥 Playlist]
by WenBin Kong
This YouTube playlist features a beginner-friendly walkthrough of the OverTheWire Bandit game to enhance hacking skills.
View the playlist →
Tips for Fuzzing and API Navigation in New Video [🎥 Video]
by Adam Langley
A new YouTube video offers insights on fuzzing and navigating APIs, aimed at helping researchers elevate their skills.
View the video →
Did I miss something? Tell me.
API Hacking - Cracking JWT Tokens [📓 Blog]
by ghostlulz
This article covers the security risks associated with JSON Web Tokens (JWTs) and how weak secret keys can be exploited, offering practical steps for secure token management.
Read more →
8 Tips for Writing Effective Bug Bounty Reports | Intigriti [📓 Blog]
by Intigriti
This blog post shares crucial tips for crafting effective bug bounty reports, highlighting clarity, detail, and professionalism to aid in faster case resolution.
Read more →
GitHub - zomasec/client-side-bugs-resources: A resource for those who want to learn and get deep into client-side bugs [📁 Tool]
by zomasec
This GitHub repository compiles resources for studying client-side vulnerabilities like XSS and CSP, catering to both novices and experienced researchers.
View the tool →
Top XSS POCs that made $50,000: Learning & Methodology to find XSS from… [📓 Blog]
by It4chis3c
This article outlines lucrative XSS proof-of-concept exploits and methodologies employed by top hackers, including practical examples to enhance understanding of security vulnerabilities.
Read more →
Copying Network Requests as cURL Commands Made Simple [🔗 Tweet]
by HackingHub
This tweet provides guidance on how to utilize browser DevTools to copy network requests into cURL commands for effective terminal usage.
View the tweet →
Finding Hidden Parameters: Advanced Enumeration Guide [📓 Blog]
by Intigriti
This article explores five advanced methods for uncovering hidden parameters in web applications, emphasizing automation tools and their significance in vulnerability exploitation.
Read more →
Did I miss something? Tell me.
Key WordPress Functions to Monitor for User Input Risks [🔗 Tweet]
by André Baptista
A highlight of nine critical WordPress functions, including update_option(), that researchers should observe for potential vulnerabilities related to user input.
View the tweet →
Once you’ve found a source of user input, the next question is:
Where does that input land?
That’s your sink. And WordPress plugins expose a ton of them.
Here are 9 to look for 👇
1. update_option()
- Stores global config like default roles, site settings, API keys.
- Set— André Baptista (@0xacb)
8:46 AM • Jun 5, 2025
Understanding Clipjacking: A New UI Redressing Attack [🔗 Tweet]
by Critical Thinking - Bug Bounty Podcast
This tweet introduces clipjacking, a UI redressing attack that misleads users into copying sensitive data instead of intended text.
View the tweet →
Clipjacking is like clickjacking but for the clipboard. It's a sneaky UI redressing attack where the user thinks they're copying some text from -your- page, but they're actually yanking sensitive data from a hidden, overlaid iframe.
— Critical Thinking - Bug Bounty Podcast (@ctbbpodcast)
4:30 PM • Jun 2, 2025
Critical SSRF to XSS Vulnerability Chain Revealed [🔗 Tweet]
by NullSecX
Researchers outline a critical vulnerability chain where SSRF exploitation leads to stored XSS in an admin panel by fetching an internal JS endpoint.
View the tweet →
🔍 Our researchers discovered a critical SSRF → XSS chain:
1.SSRF abused to fetch internal JS endpoint
2.Injected payload reflected in an internal admin panel
3.Admin loads it via <script src="internal-api/...">
4.Boom → stored XSS with admin context#bugbounty#SSRF
— NullSecX (@NullSecurityX)
8:37 PM • Jun 4, 2025
Building Connections in the Hacking Community [🔗 Tweet]
by Katie Paxton-Fear
The tweet shares effective personal tips for networking within the hacking community through Discord and event volunteering.
View the tweet →
Some easy ways to make friends in my experience:
- Discord - join a big channel and eventually you’ll end up in an offshoot group and end up with lifelong friends
- Volunteer at events (or speak at them) especially if you’re shy you’ll get to know the people who know eveeeeryone— Katie Paxton-Fear (@InsiderPhD)
12:31 PM • Jun 3, 2025
XSS Vulnerability Through User-Supplied Config in JavaScript [🔗 Tweet]
by Web Security Academy
Explains how seemingly harmless fallbacks can lead to serious XSS vulnerabilities when JavaScript libraries depend on user-supplied configuration objects.
View the tweet →
How a harmless-looking fallback can become a full-blown XSS 💥
JavaScript libraries often rely on user-supplied configuration objects.
A common pattern is:
let transport_url = config.transport_url || defaults.transport_url;If config.transport_url is undefined, the default is
— Web Security Academy (@WebSecAcademy)
5:18 PM • May 30, 2025
New Firefox XSS Payloads Shared by Experts [🔗 Tweet]
by Anton
This tweet showcases new XSS payloads for Firefox, provided by recognized experts, enhancing the ethical hacking toolkit.
View the tweet →
New Firefox XSS Payloads
credits to @garethheyes and @kinugawamasato
— Anton (@therceman)
8:41 AM • Jun 3, 2025
Humorous Encounter with an Auth Bypass on Internal App [🔗 Tweet]
by Gunnar Andrews
The author humorously recounts discovering an auth bypass in an internal app, leading to an unexpected 'rickroll' surprise.
View the tweet →
1. Got auth bypass
2. Started clicking the newly accessed internal app
3. Got rickrolledWild bug bounty first :P
— Gunnar Andrews (@G0LDEN_infosec)
4:18 AM • Jun 5, 2025
Did I miss something? Tell me.
Did you like this week's drop?Please share feedback. |
Because Disclosure Matters: This newsletter was produced with the assistance of AI. While I strive for accuracy and quality, not all content has been independently vetted or fact-checked. Please allow for a reasonable margin of error. The views expressed are my own and do not reflect those of my employer.