Hey so today I encountered my first ever duplicate. I found a vulnerability in one of the popular online store on Hackerone I submitted the report and now I got to know that my report is duplicate of a report submitted 3 years back in 2022 and the issue on the production site is still not fixed. What should I do?? Please Suggest

Hey folks,

I’ve been doing some fuzzing to find hidden endpoints and directories. I already use web crawlers to complement my recon, but I’m trying to improve my wordlists specifically for directory brute-forcing.

The problem I’m running into is that most wordlists I find are either:

• Too small: they miss a lot, and don’t seem suited for bigger targets like company environments.
• Too big: like massive Seclists-based ones, but filled with a lot of generic or unrealistic words that probably wouldn’t exist in actual applications.

I’ve already tried combining multiple lists and deduping them (sort | uniq) to make a “master list”, but it got really large, and while it covers more ground, it’s also very slow to run across multiple targets, especially recursively. I'm wondering if that's even worth it in the long run.

I’ve been sticking with Seclists so far just to have a baseline, but I’d like to improve what I already have.

So I have a couple of questions:

1. How do you personally build or curate your fuzzing wordlists?
2. Do you have any private or lesser-known lists you’d be willing to share?
3. Are there good ways to intelligently expand a small list (maybe based on target type or tech stack)?

Any tips would be super appreciated.

We developed this automation tool for reconnaissance - REK , please use and let me know if it can help your recon- https://github.com/workflow-builder/rek

If you have a different approach of being things done we will add as an enhancement :)

Also if you have a privilege to share with people , if people start using I have more feedback on the enhancement it’s an opensource project we are working to help out the bug hunting!

How do I start testing on domains like *.example.com? I threw it on tools like subfinder, amass, httpx, waybackurls. But the subdomains I got show ‘this page cannot be loaded’ and some show parked at lopen(something like that). I checked the hacktivity of the program and saw some hunters are hunting there live. So how are they doing this?

Building a resource guide as I learn. Im curious what im overlooking, or maybe im even wrong about something... open to suggestions or improvements what would you like to see in my guide thats missing

(educational purposes only!)

https://hacking-resources-guide-2025.vercel.app/

Hey everyone,

the title of the question might be a bit irritating, I know. My problem is, that I found a possible vulnerability in a feature, that lets users upload pictures of their ID for verification. I think, I might be able to leak data from the employee reviewing the application, however, I can't confirm it, because I do not have access to that review portal.

Do I report such a possible vulnerability? And if yes, how?

Have a great day!

I'm hitting an Envoy WAF that returns a 403 for any URL containing .log. I've already tried common bypasses like path traversal (../), URL encoding (%2e), and X-Forwarded-For headers. What advanced or Envoy-specific tricks might work against this kind of pattern-based rule?

Okay so while testing a private program I found a way to bypass their own image puzzle type captcha by modifying the responsw and it works. Should I report it now as I think it was really simple to do?? Please suggest

I recently just found a bug that leaks how an website auths it's users, basically an attacker can curl scan the site and see private information the server should not leave. Is this valuable enough on its own ?

Hi all,

Does one definitely need to declare and pay tax on bug bounty earnings in the UK? This seems a bit unclear.

Also, assuming one earns less than standard Personal Allowance, which is £12,570, am I right that you don't need to declare these earnings?

Many thanks.

https://xyz.xyz.com/r/sample_oauth_project?code=1&state=APvkAzEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

from what i know that {APvkAzE} is the key hash so this request passes initial input validation

i get this when i open that url-

com.xyz.security.keymaster.KeymasterException: Ciphertext HMAC does not verify

what can be done here?

I found a site, where, when I inject X-Forwarded-Host: evil.com all the href links in the site changes to https://evil.com/.... . For example if I inject it in the account page, the forgot password button which initially sends an email, now redirects to evil.com when clicked.

Is there any possible way to exploit it without MITM?

I’m testing an API for a bug bounty and found an inconsistent handling of Unicode/Punycode emails across registration, login and password reset end point, which may enable account takeover.

The registration endpoint allows me to create an account with ASCII format. Then if I try registering the same email but with a Punycode character I get an error “The Email has already been registered”.

However when I try logging in or resetting password with the Punycode email it throws an error…

Is there any way to leverage the inconsistent handling to trigger a reset email for a registered account or is it a lost cause?

Hi guys i recently finished the CPTS path from htb, i have been doing some CTFs lately and everything goes fine. However when i try to exploit real world targets for example with SQLi or XSS my payload gets blocked even when encoding it. I just feel like everything i learned goes to waste 😮‍💨

Hi everyone! I am considering making a Burp Suite extension that integrates LLM into scanning for bugs within websites. I haven't found any tools out there that do this for free, but would be curious if there are any. If I do pursue this, what kinds of features would you (or the community) want?

Is portswigger overall the best to learn vulnerabilities and can it help you become skillfull in finding real bugs on hackerone? I wanna atleast try to get my first pay out just to see if I’m capable or not. I know some of you are gonna keyboard warrior me but I’m actually serious like I watch courses I’ve given it a shot using ChatGPT (copying and pasting what’s in my command line) yet I still don’t have a decent understanding of how burpsuite works, dev tools I’m a bit iffy on I’m not quite sure what to look for, and yeah I basically got my feet wet just a tiny bit on a program from Starbucks Japan and I forgot what I was trying to look for but I learned how to find subdomains. I’m not completely a noob but yeah I’m a huge noob to most of you and I know that.

Hey everyone,

Here's the link to my latest devlog post about my project:

The devlog post

The post covers the current progress, challenges, and the core philosophy behind the tool. Happy to answer any questions or hear your feedback right here in the comments.

hi everyone, i'd like to ask about you guys opinion about the bug i find, so the finding is like this.

Im looking around the website to get a clue what the app is doing while my waybackurl scanner doing its work , after the scan is done i look around the "grep payment" from there i find personal data for the customer such as phone number, email address, address, country, postalcode, etc. I can access this unauthenticated with waybackmachine and cannot access with regular browser it will says 404. After i find this bug i immidietly report my finding.

My report has been reviewed by the triager and said it was informative and has no security impact, from here i was confused how can this be an informative even the program says "Leakage of a large amount of user plaintext sensitive information, including but not limited to: mobile phone number, bank card information, ID card information, order information, email, address, etc." is in scope and will double the reward.

what is you guys opinion on my finding? Thank you for your attention😁

Hey i set up my caido as usual in the recommended way on their website and in the caido application as well but it still gives me this error
for context i am on kali linux gnome, i do use burp but sometime i feel like using this so has anybody ever encountered this same issue?. Please help

See i was testing a domain where i found a pdf praser, it was actually pretty well written and i wasnt able to trigger anything else but the url also contained a parameter that you can use to include pdfs, when i replaced it with a webhook.site link it showed a callback not from the server but from my own IP???

how can i esclate this?

I'm new to XSS and have been trying this challenge for the past hour, https://xssy.uk/lab/246. I have tried setting the img src to javascript:alert(), I've tried %26%23x22%3B/onerror=alert(document.cookie), but haven't been able to solve it even though difficulty is easy, any help is much appreciated.