Execute the perfect Father's Day payload 👇

Want to HUNT for broken access control (BAC)? @NahamSec has some hacking advice for you 😎  Let’s hear it. 👇

Why does swapping GET 🔁 POST/PUT/PATCH work?  Because it forces the server to walk code paths it never expected, some things to try:

Someone: "I don't know where to learn to hack REAL targets." Me:

Easily fuzz log files using a wordlist of dates 🗓️  Here’s how: 1️⃣ Use ffuf to find an active log directory 2️⃣ Grab a wordlist of dates 3️⃣ Run ffuf -w dates.txt -u <URL>/log/FUZZ.log -ac -mc 200 Want to try this technique out? Hack our Content Discovery Hub now! Link in comment 🔗

Does this look robust? You think you can BYPASS it? 😎  Send your payloads. 🚀

Get the most out of your reverse engineering with GDB plugin, GEF (GDB Enhanced Features).  Run this command to install:  wget -O ~/.gdbinit-gef.py -q https://gef.blah.cat/py && echo source ~/.gdbinit-gef.py >> ~/.gdbinit

At first glance, this looks safe. What's the issue?

As they say, a good defender makes a better hacker. Void Step is a simple SOC challenge, but it will allow you to think in so many ways. You will understand what your Nmap scan looks like and how defenders catch on to the activity you make as a penetration tester.

How good is your Reverse Engineering?  Reindeer Route is a reverse engineering challenge from NahamCon 2025 Winter CTF.  As of posting this, only 140 hackers were able to solve this. Can you do it?

Report quality can make a huge difference.  @NahamSec   explains why report quality is important. He also gives some tips on how to write a well-written report. 💯  Here’s a quick watch. 👇

When you send two values for the same parameter, different server stacks resolve it differently. PHP/mod_wsgi takes the last value. Node/Express gives an array. Python/Zope returns all as a list.  This inconsistency can sometimes bypass authz checks.

Things you MUST know before diving into bug bounty. 😎  @NahamSec highlights the non-negotiable fundamentals of your hacking journey. Here’s a quick watch. 👇

Me staring at my callback server, waiting for that one Blind XSS payload I injected into a support ticket three weeks ago.

Here’s a quick process for finding mass-assignment vulns: ➡️ Do a GET request on any resource you own, note all fields returned ➡️ Replay those fields in the update POST/PUT requests ➡️ Add fields you see in API docs, JS source, or error messages

There’s a blacklist. What’s your BYPASS? 👇

Oh, there’s some security implementation. 😎 Do you have a BYPASS? 👇

POV: You are poking at an enterprise financial app. The DOM is full of custom elements like <vaadin-text-field>, and you see network traffic firing POST requests to endpoints with ?v-r=uidl and ?v-uiId=. You know it’s Vaadin. 👇🧵

This one is a bit tight. Can you find a crack? Craft your PoCs.  (This is the frontend code. Backend code is in the first reply👇.)

Watch this: If you're using AI for hacking, are you using it as an accelerator or as a crutch? 👇

⌛Just a couple of hours left before our Spring Flash Sale ends...

The clock is ticking. Don't miss your chance to level up your skills at a fraction of the cost. Only for this weekend. 👇

🚨Spring Flash Sale: Today 5/22 – Sun 5/24 ONLY🚨 1. The Hacker's Arsenal ⚔️ Skills: Regex, Linux for Hackers, Web Exploitation, Blind XSS, and BAC. 👉 http://hhub.io/springflashsale26ha 2. Bug Bounty Essentials 🎯 Skills: Nuclei, Web Exploitation and Blind XSS. 👉 http://hhub.io/springflashsale26

The WAF catches everything, but the business logic says "come on in."

Mark your calendars. We have a surprise coming this Friday 🔦

1️⃣Price manipulation: "amount": 100 ➡️ "amount": 0.01 2️⃣ID swapping: /api/orders/12345 ➡️ /api/orders/12344 3️⃣Parameter pollution: userid=12345&userid=12344 4️⃣Changing HTTP method: GET /user/info ➡️ POST /user/info 5️⃣Bypass using trailing slash: /secret (401) ➡️ /secret/ (200)

👤Why does swapping UUIDs just work?  Devs usually trust that UUIDs are unguessable, so they skip ownership checks. And UUIDs may leak in shared objects (notifications, webhooks, public dashboards). If you can find one victim UUID, you pivot everywhere.

How do you really learn how to hack web apps? 👀 Read write-ups and disclosed reports, then hack? Watch a tutorial, then hack? Play CTFs? These are all viable ways to learn hacking, but one stands out here: playing CTFs (Capture the Flag). 🚩

I was recently hunting for IDOR in a web app, but couldn't find IDs anywhere. The app just used session tokens. Eventually I found it, the "unsibscribe" link! 3rd party and microservices often process data using a raw database ID. It pays to sign up to newsletters!

Are you testing a Java Spring Boot app that uses RBAC to protect API endpoints? Spring Security may use AntPathRequestMatcher for access rules. If the rules are written too strictly like locking down /api/v1/users but not /api/v1/users/ an authorization mismatch can happen 👇🧵

The depth of your assumptions and the persistence of your efforts determine your skill ceiling 🕶️

Don't get stuck in the "massive subdomain" trap 👇

"Where do I start with Bug Bounty? Where do I actually sign up and register?" It’s the most frequent question we receive from the community. Here is the answer👇

API gateway path normalization abuse. Gateways and backend APIs may normalize URL paths (like .. ; %2f) differently. For example, a gateway might evaluate the raw path, while the origin server decodes it (%2f → /) and resolves it, changing the final route.

Let's be honest: the cat's version has more character. Literally 🕶️.

What if you could find every unique asset a company owns just by looking at their WHOIS data?  If a company registers all its domains under one specific email, you can uncover every domain they've ever registered in seconds. Use this tool👇

Tired of buying courses that don't translate to real targets? 🛠️ Get hands-on with our Free Hubs. These are real-world scenarios based on actual pentests and vulnerabilities we've found in the wild. Start learning for free 👇 https://hhub.io/eSLRYyLUEV

Looking to level up your recon with Nuclei?  @NahamSec shares two tips to better utilize the tool and find what others miss.👇

Recon dry? Default Subfinder hits basic sources only. Without API keys, you're only hitting basic public sources. Add GitHub, Censys, and Shodan keys to ~/.config/subfinder/provider-config.yaml and use the -all flag to include deep-tier sources.

Can you perform command injection here to read arbitrary files? 👀 drop your answer below👇

📝Scenario: ➡️ You found reflected XSS on a low-privilege, unauthenticated search page What’s your next BEST move? 👇

What if the notifications you trust were actually coming from a hacker? 🕶️ Watch the walkthrough with John Hammond to see how it works👇 https://youtu.be/wrAFZLa1TAk?si=0-FSO_Y3BDMHcbBP

Test yourself with this NoSQL Injection Challenge 👇

Only real hackers will understand this.

Test yourself by writing a curl command to get admin 🧐

Blind XSS isn't dead; it just requires more patience than you're used to 👇

Only a good hacker can bypass this. Drop your answer below👇

An uncommon but elite recon method: Subscribe to every marketing email the target company sends

Have you hacked a GraphQL API before? Try this one out. Find the flaw. And drop yung banger payload. 👇

Don't waste keystrokes. The alias command is a critical tool for optimizing your workflow and executing frequent commands instantly.