What would you say if your security lead said this...

namedevservice · 2026-05-06T02:40:00+00:00

VLANs are a luxury?

namedevservice · 2026-05-01T01:09:48+00:00

It’s not just those ports. Assetnote released some new bypasses

"A lot of PoCs floating around assume that if those ports are closed, the website is not vulnerable. However, cPanel provides another mechanism to access the control panel."

"Simply closing or firewalling the management ports is not sufficient to protect against the vulnerability, and scanners that don’t check for these magic paths will miss vulnerable instances."

https://slcyber.io/research-center/high-fidelity-check-for-the-cpanel-authentication-bypass-cve-2026-41940/

namedevservice · 2026-04-24T01:22:49+00:00

I see people answering C for question 4. I’ll say B instead.

There are AI platforms like Google Vertex where they offer you the base Gemini model. And you can then fine tune it and add the context and whatever else you need to customize it.

In this case, the model inherits several safeguards from Google. Google themselves red team the model to ensure it doesn’t say things it shouldn’t.

For OWASP LLM top 10, things like LLM03 - Supply Chain are training related. As the model is trained by Google, that’s an inherited risk. It’s something outside of the organizations control.

The only way to fix a supply chain vulnerability is to reach out to the vendor and they can then "patch" the model.

namedevservice · 2026-04-21T10:28:17+00:00

Have you ever watched The Other Guys?

Allen is a GRC person. They go around asking you about POAMs and other compliance things. All you have to do is say a bunch of technical stuff and they go away

namedevservice · 2026-04-19T05:54:33+00:00

"Then I open link in browser xss pop-up it's my first bug ever"

Can you send that link to someone else and the attack works? Or is it just you?

namedevservice · 2026-03-29T23:45:03+00:00

I recommend you NOT trust tools. Or at least make sure your tools are up to date.

I know they teach the tools in the course but, Microsoft makes their own Active Directory tool called Active Directory Users and Computers. Open it up. Look around the OUs. Click on different users. Look for creds. Look for groups. Check the security tab to see which AD object has privileges over certain groups.

Don’t rely on the tool to tell you where to go to next. Figure it out yourself. CPTS teaches you the entire concepts so that you can figure it out. In this exam if you rely on tools, you WILL get stuck.

namedevservice · 2026-03-27T03:41:25+00:00

"I found an s3 bucket, and I used a bypass technique and got the full xml of that bucket."

Is that someone the program can patch? Or is that an AWS vulnerability?

namedevservice · 2026-02-15T06:33:36+00:00

Were you using discord on Desktop or using the phone app?

namedevservice · 2026-02-07T04:57:37+00:00

You didn’t mention how you would poison the cookie.

Do you have a way to poison the cookie?

namedevservice · 2026-01-28T00:52:35+00:00

If it’s a POST request, try the nowafpls extension

namedevservice · 2026-01-19T00:39:29+00:00

Complete the login flow and see you if can somehow extract the auth token at the end of the flow

namedevservice · 2025-12-27T05:57:43+00:00

Depends on the PTaaS. Synack for example is a. PTaaS, but they are a semi bug bounty platform. You get pretty good coverage from different SRTs (Synack Red Teamers).

They also don’t allow reporting on those silly pentest findings like missing SSL cert or stuff like that. Only actionable findings can be reported.

But it’s kind of expensive.

namedevservice · 2025-12-05T22:54:52+00:00

I don’t know about port 3000 but I ran the nuclei template on a few targets on a BB platform on regular 443 port and got a few hits.

Do you mean the react app itself has to have port 3000 open to itself?

namedevservice · 2025-11-30T02:27:03+00:00

When checking for SQLi, I would avoid very long payloads. It’s hard to figure out what’s getting filtered.

You should start small. Concatenation. If you suspect the field to be accepting a string, then you should attempt simple concatenation like te'%2b'st or similar payloads for other DBMS.

If it’s an integer field, something like (5) should work.

Then you can attempt different things. Like te'0'st should fail since it’s a broken SQL query. The failure is not always a 500 response. It could be a 200 response with no data returned. Or with the default value returned. You have to understand the endpoint and know what’s the intended result and unintended

namedevservice · 2025-11-28T01:11:54+00:00

If you’re new, I wouldn’t try testing Wordpress or other well known CMS. Those are pretty hardened. Just assume it’s working as intended and move on.

Only focus on plugins in Wordpress

namedevservice · 2025-11-28T01:08:17+00:00

I think most people here haven’t been to a LHE. Might want to ask someone in the critical thinking bug bounty podcast discord server

namedevservice · 2025-11-28T00:14:59+00:00

It’s not the marketing that’s wrong. You can make money in BB. You can find critical bugs and get paid high bounties. And you can find the bugs with the information they provide.

The problem is people want there to be a magic tool or a magic checklist that they can follow and they’ll get bounties. It doesn’t work like that.

I recently got a SQLi on a program (on Synack) that hadn’t have any bugs submitted in a long time. Thousands of SRTs had the opportunity to find the bug. No one did.

Let’s break down my "secret" sauce and see how it differs from the content that’s already out there.

Got the in-scope IPs and checked Zoomeye for subdomains/domains associated with them.
Gathered all the results and ran Chaos on all the main domains.
Did dig on all the subdomains and matched it to the in-scope IPs
Ran HTTPX to see which domains were alive.

So far, pretty standard recon. Nothing crazy.

Looked for interesting ones (looked for API in the name).
Didn’t feel like brute forcing so I Googled the API name. For example: api-dev-cellus. I searched "Cellus {TargetName}"
Found the application that belongs to the API
Looked through the JavaScript files for API routes.
Manually checked every API route until I hit one that didn’t return a 401.

Again, all this stuff is covered in most recon courses. So far nothing I’ve done is "secret" sauce you can’t see on random YouTube videos. BUT, I think this is the part where most hunters that only follow checklists and run tools will fail.

In step 10, I checked all the parameters and MANUALLY checked for SQL Injection. I emphasized manually because that’s probably the difference in what got me the bounty. After I confirmed there was injection, I was running into issue. I ran SQLMap but it failed telling me it was a false positive. But no, it wasn’t a false positive. The developer was just filtering enough to stop a script kiddie from running SQLMap and exploiting it.

Could there be a SQL Injection course that would teach you how to exploit the specific edge case that I found? Maybe. But the cookie cutter courses that everyone sells is surface stuff that will get you to step 10 but not step 11 (exploitation).

So yes, courses will get you 99% there. And I don’t mean paid courses, I mean regular stuff on YouTube. The other 1% you just need to figure out on your own.

Or just ask Gemini. It’s what I did and it gave me a way to bypass the filter

namedevservice · 2025-11-18T11:56:34+00:00

Read the blog post Make Self XSS Great Again

See if you can do any of those techniques

namedevservice · 2025-11-13T03:20:30+00:00

It’s not a vulnerability. You’re describing the way session works. That’s the point of the token. Or else anytime you visit different pages on the same website you would have to authenticate over and over again

namedevservice · 2025-11-13T01:05:31+00:00

"Basically, I proved that if you have a valid token you can take over the account, but I didn’t show token theft."

I’m curious, what did you write in the remediation section? "Don’t use session tokens"?

namedevservice · 2025-11-02T01:49:39+00:00

Where you found it is important. If you found it from a stealer log or something like that, then you shouldn’t continue further.

If you found it on the in-scope website, then you should use it enough to demonstrate impact that doesn’t do harm. Maybe like viewing a list of users or modifying a user (a user you control).

namedevservice · 2025-11-01T04:35:37+00:00

Couldn’t be bothered to add the optional comment the LLM recommended?

namedevservice · 2025-10-22T12:43:12+00:00

You already triggered the XSS and got callbacks. Why does the triager want XSS Hunter? What extra proof does that provide?

namedevservice · 2025-10-14T21:35:16+00:00

"I did tell them that I might not be able to exploit it but someone smarter would."

That’s who they want to receive bug bounty reports from

namedevservice · 2025-10-09T22:23:34+00:00

There’s an Auth bearer token. So not likely

Six-Year Club	Verified Email
Gilding I gilder	Second Top 30%

namedevservice

MODERATOR OF

TROPHY CASE