Это видео недоступно.
Сожалеем об этом.
Reflected xss that made 500$ Bounty | Bug bounty poc
HTML-код
- Опубликовано: 21 июн 2024
- // Disclaimer //
Hacking without permission is illegal. This channel is strictly educational for learning about cyber-security in the areas of ethical hacking and penetration testing & bug hunting so that we can protect ourselves against the real hackers..
First time aisa bnda dekha jo tny views or subscriber hony k bawjuud b hr comment k reply deta hy❤
always ❤️😇🤗
Watching your video feels demotivated sometimes. You found so many bugs and i didn't even find a single one
no bro,i have just passion to try new things evryday i dont hunt more i research more and i love that...
same
😂🎉❤
@@ashishchauhan9745 You think a bug bounty program would have an xss on their main page. This isn't even a reflected xss. Not to mention, lostsec probably didn't got any bounty. Everything's clickbait .Have you seen any proof in any of his videos of him getting bounty?. So don't get demotivated. lostsec just pastes a bunch of payload in random websites and posts the video and bros methodology is just running tools.
for payloads check out telegram channel:
t.me/lostsec
Lostsec: one thing: if in all your videos your just using wsl and browser: you said you just got new msi thin 15: leave your previous laptop as is with windows host and wsl: and grab another NVMe: Install Ubuntu host: put VB on it: make a Ubuntu VM (so you can clone in case anything goes wrong) and do everything your doing in the Ubuntu VM. Then you have the Linux terminal and still have whatever web browser you want. Windows as a host runs Ubuntu VM slow, but if Ubuntu is both your host and VM, the VM is fast. Also for everyone: Kali is designed to only be run as a VM or as instance on aws ec2. No one at OFSEC will recommend you run Kali bare metal. But for reliability: you will probably have easier time with Ubuntu or Fedora. Even to the point all the RHEL guys are starting to switch to Ubuntu.
kali have its own updated repo and many tools preinstalled in that repo so dont need to download it from other sources..your all things are updated like latest kernal and all stufss in kali.in ubunto you need download all tools from other source s..
@@lostsecc Honored I got a reply from you! Yeah I have a Kali, Ubuntu, and W11 VM. Is it just me or are PATHs for both Go and Python annoying in Linux? I have one Kali VM then I will not let anything happen to because I was able to get a specific scanner installed in my favorite scanner. I have not been able to install the same scanner in any other Linux VM I have. But also: I think I see you’re using Windows 10. I have been able to get the base Ubuntu installed in wsl (whichever one they automatically install when they install wsl), and I was able to get Ubuntu 24.04 and also wsl Fedora installed. But so far in windows 11 as a bare metal install, Kali rolling just doesn’t want to install. But yeah: it seems all the strictly cyber guys are in Kali, and all the former devs/programmers are all in Ubuntu. But now it’s seeming more and more popular to run W with wsl. I think the real challenge all beginners are gonna have to overcome is: literally every “hacker” I know of: does it differently: everyone pretty much has to develop their own “method”. And then what’s gonna piss a lot of them off is that some of the guys who started in the mirror early 90s still today a little python But not that much. And they all made most of their money in the days when Yahoo was it.
New setup has a big screen ❤❤
❤️🤗
Nice finding bro ,However what is the impact since it can't be delivered to vicitm
no much its post xss
Payload kaha sei mila
My brother, where can I find the six bylaw xss? I couldn’t find him even on Telegram. Can you send him via comment or write his name?
I would like you to respond to the comment, where can I find the xss plugin that I tried on?
Bro You uploaded a video yesterday and your video got deleted today.
Would you like to upload that video on your Telegram channel?.
wait its in review
@@lostsecc Ok I'll wait....
How to distinguish between stored and reflected xss?
reflected means only its reflect on client side only..in stored its stored in databse of website
@@lostsecc ohhh so I think i found a stored XSS On websites
Thanks for the info :)
Good job! I cant even get a single bounty lol.
u will get keep going ❤️
I’m new and wanting to learn, sorry if it sounds nooby. My question is why is it significant what you found? What can be done with the two things that came up? Anything I can read that you recommend?
account takeover if its reflected in url parameter
@@lostsecc with what knowledge do you end with this ?
@@lostsecc but it does not seem like these xss are in the url parameter in the video
Bro give me a guide pr roadmap of yours u followed to become a professional bug Bounty hunter bro tell me the books and resources and course u have finished for this
just read some yt theory video understand the concept after that solve portswigger labs then read some writups or hackerone reports..
Basically those where multiple xss bugs in one input field did you report them all at once??
yes
nice bro keep going and upload videos Daily I'll support you
but please share your play list even a screen shot from your musics is okay I'll search them by my self (:
dark beach slowed
I must commend your consistency 🙌
❤️🤗
can i get those payloads that u using ?? on this video
check telegram bro
@@lostsecc didnt got brother
Nice work bro keep going.. Love from Pak
my pleasure brother ❤️😇🤗
Hey lostsec, will you upload the ffuf video again? Saw that this amazing platform removed 😂
Thanks
its in review hope its back ❤️
Could you please tell about your new lap
I'm planing to buy one or can u suggest one
msi thin 15 bestt and light weight
@@lostsecc thanks a lot brother
do you recomend to start on a VDP, gain some reputation and then go to private programs, or just start on public BBPs
try according to your skills if u have good skills why not hunt on bbp but yeah u can start with vdp but dont invest muvh time on these..
@@lostsecc ok thx bro for everything :)
@@lostsecc My brother, what is BBP and VDP?
bbp:bug bounty program where u get money paid if you found bug
vdp&rvdp:its responsible disclosure programs where u did'nt get anything paid just points or hof
bro great ❤️❤️.bro please give some beginner friendly video so that fresher like me can find some love you ❤️❤️🥰
just stay with channel and telegram i will upload all
which sites you recommend for bug bounty for begginners ? I mean are there any sites that include programs that are more likely to have vulnerabilities or easy to find vulnerabilities ?
portswigger lab is best for upgrade your skills bro..
why havent lapinoz fixed it yet
some company dont care about there security
If it is ok you can share the payload for our reference
i shared in telegram channel must check
Like to learn how to get started
i shared path in telegram channel must check
Hi, bro. I'm trying to start in this world. One question: where or how do you report that vulnerability?
use hunter.io extension
@@lostsecc Ok. But I understand that hunter looks for email addresses, so how did you know which one of them to send the report to or what did you do with the extension? Also, how did you know that there was a rewards program for that vulnerability? Sorry, it's just that I have a lot of questions. 😅 I would apreciate it if you could help me.
there is option for that and show you also support email just report on that
@@lostsecc Oh, got it. Thank you so much!
They don't even have a bug bounty program and if they had they wouldn't have self xss on their main page. This isn't even a reflected xss. Not to mention, You probably didn't got any bounty. Everything's clickbait.
yes its clickbait
@@lostsecc Just a simple payload alert(3) is working, that means your other payloads are useless except for one payload. What is the benefit if you bypassed the cloudflare but your payload isn't executing. If you are truly passionate about hacking, you should stop wasting your time on copy pasting useless payloads and learn some real hacking.
i know that this only for this video..so you all got idea..
Those payloads not icluded on ur github repo
i shared in telegram bro
Previous month, I reported around 8 RXSSes :)
good job ❤️
Why is it Reflected I don't even see it on the url
How can you expose the victim to XSS of this type?
its post based xss
Nice video bro, can you share your xss payload list?
i shared in telegram bro
Bro please do video about ur new pc
Hey man, could you share your xss cheatsheet?
telegram
I love this, plis share how to hunt with dorking my brother 🙏
join telegram brother i shared there all..
hello bro first of all thank of providing this kind of valuable content . brother while on a a program i found a ftp access of a third party website now iam confused what can i do with that because that company does't have b.b program
you can upload shell and get full system access
@@lostsecc thanks for replying but as I said they didn't have any active bug bounty program 😕
noprbm just report them on there support email
@@lostsecc ohkk thanks sir 🙂
Superb, sir i am beginner please suggest me a yt channel in hindi for clear my concepts
just read writups or hackerone reports are better..
That isn't self xss ? Coz there was nothing changing in the url ? If its a self xss then how do they get accepted this ?
yes its self xss bro
@@lostsecc then how did they get this accepted ?
@@H4cker_Nafeed click bait brother 😉❤️
@@lostsecc Nice IQ
Bro aap kitna time dete ho
what you suggest for starters and which roadmap is good for you?
portswigger
@@lostsecc thnx bro
Can we get the list of waf bypass payloads?
i shared in telegram channel
@@lostsecc thanks
Bro i have watched your vedios of recon ( bug bounty vedo 1 & 2 ). I followed that..now i am stuck what to do with this information. Like js etc. i am a beginner and we dont know this . Plz help us about this. You r the only hope now. I have requested so many youtubers about this but no one replied. Plz help . How to proceed ahead further. Thankyou very much bro for your all efforts.
after collecting js file use secret finder or you can directly send that urls with .js in nuclei they will automate find all keys..
@@lostsecc yes bro I did that , as I said I have followed your all steps and also found some keys like heroku api keys something like that. What can I do with those keys. Is that any vulnerability. Whats the use use of those keys. Sorry for wasting your precious time for this silly questions but bro you are my only mentor now. Can't explain your greatness in words as you are helping the beginners like us. Thankyou.
bro, i need that payload list that you used for xss
check telegram bro in media ❤️
Good Job brother keep it up❤
❤️
Hello, can you put your xss scripts available for us it will help a lot please😊😅
alrady shared bro in telegram must check
name of background music ?
dark beach slowed
Bro could you share that xss payload cheat sheet please
i shared in telegram channel bro
Bro give that notebook
i shared in telegram bro
Hey Nice Find though based on above video it looks like self XSS and did the company really rewarded for it? Also i checked the website and i see that the issue is still reproducible and haven't fixed yet the company awarded you before even fixing the bug that's too kind lol 😂. Bro Please tell me from where you find your targets to test i reported too reflected xss on bug crowd and they are in triaged state for 1 month 😢. idk if they forgot it or what...
bro thats clickbait all people do so the video goes to more audidence ❤️
@@lostsecc Ok though I will advice not to do that as it misleads people into believing bug bounty is easy and they can earn a living out of it just by running some automated tools and not learning base of it. "You must learn to make it before break it"
all big youtuber use man..and its not fake if u find same in bbp you will get i just share the methodlogy..
@@lostsecc yes I admit your recon and automation workflow videos are actually quite good but what I meant to say is many people think bbp is get rich quick skim by hearing from bounty news from other youtubers. So we shouldn't fool them just an opinion obviously it's your channel and video who am I tell...
just active on twitter you will know how people earning from this daily...
Your payload is not working now.
what payload
Congratulations 🎉👏
Yrr aapki payload list send krdo plzz ❤ ur genius man ... ❤
check telegram in media tab i shared all..
Can you share payload list??
i shared in telegram bro check out
Bro how to bypass filters.
learn some waf evasion technique
Aap reply karte hai jo apko dusro se bahut alag banaati hai
my pleasure ❤️😇
Could you share your payloads
check telegram
can you provide that bypass payload
i shared in telegram must check
can you please make a video about sql injection
sqlinjection not allowed in yt they give strike for such video
Can we get that different payloads list?
check telegram bro
Is there any way to bypass html entities?
ywah
How did you find the target?
just passion to explore things..
Or yeh b kindly bta den k konsa payload kahan apply krna hy please sir
check sourcecode and check what payload encoding there or bypass and try according to that..
my bro where i found their bug bounty program cause i found a vulnerability😇
use google dork if there is any bbp and if not use hunter.io extension and extract email id and send to them..
@@lostsecc I found 2 Emails only
ok I will send to them Thnnx🙂
can i get the payload list
check telegram
Bro isn’t this a self xss?? And they paid you for this😮
Love you content brother❤❤❤❤
❤️😇
Pls Share these payload 😢
check telegram channel
How do you find website for bbp ? I
i just test when i have time and try something..
wo jitney bhi payloads hey..channel mey dijiye na
i shared in telegram check out ❤️
Music name❤❤❤????
dark beach slowed
Bhai mai kasam kha ka such bol rha hu aaj sa 5-6 mahina pahila ya vernability meko mil gai thi is site pai mai email kiya call kiya kcuh reply nhi aya inka at the end maina ignore kar diya tah self xss samjh ka
yeah its still self xss
@@lostsecc to fir bhai tumna titel mai bunty likha ha ??
Your videos are amazing, keep it up, can you share the payload? ❤❤
in shared in telegram check out ❤️
@@lostsecc nothing there
@@yahai_ check media and check files and xss.txt
Bro sent their xss payload file.txt please...😊
i shared in tg channel bro check in media ❤️
@@lostsecc what is the channel
could you share your payload
i shared in telegram bro
@@lostsecc okay, let me check. thanks
Self xss hai syad ??
yes;)
@@lostsecc pkka self xss hai bro ???
Is this windows a VM?
wsl
@@lostsecc Ohh, I see.
can i get that payloads
check telegram channel
i need test payloads
check my telegram brother ❤️
i need the payload : )
i shared in telegram must check
Awesome
Bro its reflected xss or self xss?
both
Please share that payloads bro
check telegram brother
Bro Sub Duplicate hoo raha hai
song name ?
dark beach
Can u send payload files
check telegram
Crazy🎉
Yo u leaked ur ip address when u alerted you cookies
aah i see,its not mine bro i use inbuilt proxy..
@@lostsecc hahaha u got good opsec then
Can i have your payloads?
check tg brother
This is Blind or Reflected ؟
reflected
@@lostsecc There are programs that they do not accept, and they tell me that there is no danger to the user
yeah bcz its self so
Bro I think it's not fixed till now 🎉
yes
bro need this all payload
i shared in my telegram bro
@@lostsecc ❤️❤️
Appreciated
❤️
Your sharing is looking awesome but😢😢 i cant understand yet
you will
Bhai report kaha pr kiya...??
email
Can you please share this payload.txt file 🥺
check telegram ❤️
@@gowtham8774 it's there, I found it recheck
@@lostsecc brother provide telegram channel
please send this payload link i checked ur telegram not avail this payload
ok sure i send u and find more payloads in channel media tab
Ok, please send
@@lostsecc I also need this
Bro share ur private nuclei templates it's not there in ur telegram
uploading soon..
@@lostsecc u didn't replys on telegram I MSG u lots of time
Tell me command of ssrf map while we hunting on mass urls
sach mein La pino'z 500 usd diyea hein ? ya fir majak hein 🥲
how to join the telegram group. i want to know about the cheatsheet used
t.me/lostsec