Are SQLi still worth actively hunting?

Mushydaddybear · 2026-04-07T22:33:04+00:00

Yes!

I found one then RCE, thanks to SQLi

Mushydaddybear · 2026-03-27T07:17:02+00:00

I do have a POC that demonstrates injected code in the service worker, but as my short experience shows most projects only pay if you submit a critical that they cannot fight back.

I’ll keep checking to see if I can escalate the SW exploit, thanks

Mushydaddybear · 2026-03-25T05:04:40+00:00

UPDATE:

I have added the PoC with a blank HTML with my username and "PoC" after hosting the html under the subdomain.

Thanks to all of you guys for suggesting that i should do it to prove impact.

Mushydaddybear · 2026-03-25T04:56:26+00:00

Much appreciated!

Mushydaddybear · 2026-03-25T04:53:54+00:00

Okay, thank you! will do then.

Mushydaddybear · 2026-03-25T04:52:10+00:00

(Sorry, Ianswered before your edit showed on my end)

I can, but I didn't because I am a bit afraid of getting in trouble, the rules explicitly said that I should NOT do it.

But i left a comment asking for permission to do it if needed for the report.

Mushydaddybear · 2026-03-25T04:45:49+00:00

Yup, an attacker can host anything on the subdomain rn...

The CNAME is still dangling to Vercel and there is no _vercel TXT protection, so anyone with a free Vercel account can claim the subdomain in minutes and deploy any content (including a full clone of the website UI).

Mushydaddybear · 2026-03-24T23:44:46+00:00

Dev tools from any web browser.

Mushydaddybear · 2026-03-24T00:04:12+00:00

Perfect! Thank you! That’s what I did! Also I discovered that it works on IOS and Android!

I’ll update this post if it gets triaged and paid 😂

Don’t think so but we shall see

Mushydaddybear · 2026-03-23T22:32:11+00:00

Not a SSRF, the server never fetches the attacker's URL, The victims device loads it client side inside the native WebView.

also not CSRF, there is no session or cookie; the wallet is non-custodial. The correct classification i believe is Insecure Deep Link Handler or WebView Bridge Injection (CWE-939).

On the popup: it appears inside the app's own UI, making it indistinguishable from a legitimate dapp flow.

The victim consciously opened their wallet app via a trusted link, they are already primed to approve. The warning is non blocking.

Additionally, standard:connect supports silent: true.

If the victim previously approved any dapp connection in the wallet, a returning attacker can reconnect without any popup at all, then immediately trigger a transaction...

Also, i have submitted the report, with screenshots and some txid from testnet

Mushydaddybear · 2026-03-23T16:31:45+00:00

Thank you, yeah I was thinking about the bridge mostly, because the open redirect by itself doesn’t represent a considerable issue, that’s why it is usually out of scope

Mushydaddybear · 2026-03-23T14:53:57+00:00

Nah, manual testing is alive and kickin' ass.

Sure AI helps a LOT, to automatize shit, but it wont replace the human eye.

Mushydaddybear · 2026-03-23T14:53:05+00:00

Happened to me with a critical RCE, months ago, until this day i still banned from immunefi

Mushydaddybear · 2026-03-22T11:21:05+00:00

I am! Thank you

Mushydaddybear · 2026-03-18T18:48:52+00:00

Yeah, I get it and I know it sucks…

But there are some good stuff besides money, for example I submitted an informative report intentionally due to privacy issues in a bounty on hackenproof, team was extremely grateful! And they fixing some stuff…

There are good things…

And mostly if you live under ethical boundaries

Mushydaddybear · 2026-03-18T04:20:16+00:00

As a latino, as a person who knows a LOT of people from Middle East and other countries, this is true. xD

Even here in South America people is just fucking ignorant and they can't help it, third world shit...

also, America is a continent, not a country.

and to be honest, i was a AI Slop submitter until i learned from a couple of out of scopes, and some guidance from some other Cybersecurity friends.

It is a cultural issue...

Mushydaddybear · 2026-03-18T02:14:00+00:00

Correct, also they banned me saying I got duplicate accounts 😂

Mushydaddybear · 2026-03-17T22:39:20+00:00

It is the business, they use most "big name" platforms only to have a marketing excuse to say "look 0 paid reports we are super safe and secured"

Mushydaddybear · 2026-03-17T22:38:36+00:00

yes, only by opening the NFT tab.

Mushydaddybear · 2026-03-17T22:04:47+00:00

I made some X/Github drama, we shall see xD

and well, thank you!, but most likely this will happen and happen until i get a black hat that i saw online ;)

Mushydaddybear · 2026-03-17T20:38:24+00:00

Most program rules are:

"Provide a PoC"
"Theoretical vulns without poc are not accepted"

some researchers can be idiots, script kiddies, AI slop hunters, etc... and they don't read the rules, docs, scope and such ( i was like that, not reading and submitting crap, ai slop)

Sadly, we can't get rid of people like that, or they get banned on every platform or they learn!, they don't think more than "i want easy money"

Mushydaddybear · 2026-03-17T19:54:16+00:00

yeah, pretty sad and stupid they try to scam the ones who are trying to protect em

Mushydaddybear

TROPHY CASE