bebiks @bebiksior Twitter profile

Pinned Tweet

bebiks

7 months

I'm excited to announce the release of my SSRF Utility tool (still open to name ideas, DM me :)). It's for bug hunters to discover and exploit SSRF vulns. Inspect incoming HTTP requests with full control over HTTP response. #bugbounty

18

92

427

Last Seen Profiles

@soheelovr

@itsbownetbow

@Smokey8

@hijabjilbab1

@ranputation

@mccracken_gavin

@Perkzxo

@jandakembangstw

@kellyykao

@padglima

@jbickdakid70152

@radiompbfm

@sparkliepills

@paynafn

@pskn_coli

@tkcper1

@Benny23100

@Tereza51998324

@itsEroticlife

@yae277257280121

@CheverlyFrankie

@AcornEdward

@avex_ROYALBRATS

@hijabjilbab1

@SU1C1DESLUT

@wisbechrugby

@Rhodestexas

@yuki_koukan

@dumond_ed

@4lvz60hs2z4v

@b2a2ff0c49ac428

@stw_pdg

@BGBisonAD

@hate2luvdk

@humdard28

bebiks

@bebiksior

6 months

First ever SQL injection rewarded :-D

38

66

1K

bebiks

@bebiksior

23 days

Yay, I was awarded a $18,000 bounty on @Hacker0x01 ! #TogetherWeHitHarder

HackerOne profile - bebiks

¯\_(ツ)_/¯ - http://ssrf.cvssadvisor.com/

hackerone.com

22

4

312

bebiks

@bebiksior

6 months

While digging into a web app, I spotted a request with `&sort=DESC` in my proxy. It raised a flag since SQL can sort using `ORDER BY DESC`. Threw in a simple ', and the server threw a 500 Internal Server Error. Went deeper, and tried `DESC LIMIT 1 --` and got a single result.

11

25

253

bebiks

@bebiksior

7 months

Exactly one year ago, I stumbled upon bug bounties for the first time and got @NahamSec udemy course. Within a week, I discovered my first ever valid XSS bug. Now, one year later, I've crossed 1k reputation points. Very grateful for many great writeups - learned a lot from them.

10

9

151

bebiks

@bebiksior

8 months

Yay, I was awarded a $2,500 bounty on @Hacker0x01 ! #TogetherWeHitHarder

HackerOne profile - bebiks

¯\_(ツ)_/¯ - http://ssrf.cvssadvisor.com/

hackerone.com

7

0

97

bebiks

@bebiksior

1 month

CaidoReflector v1.0 is out! :D Automatically look for paramater reflections in the HTTP response. Currently it supports GET and POST requests with query string body (json is not supported yet).

1

15

98

bebiks

@bebiksior

2 months

🤯

3

0

94

bebiks

@bebiksior

6 months

First changes :D - Instances are now hosted on the domain. ( still works without DNS callbacks) - Shortened Instance IDs to 8 characters. - DNS callbacks are now shown in the requests tab. - You can now

2

13

90

bebiks

@bebiksior

3 months

EvenBetter v2.1 is out!! Changelog: - Quick SSRF: Quickly create new SSRF testing instance and view interactions on the new sidebar page. Now supports `` and `` - Quick Decode Enhancement: You can now edit

bebiks

@bebiksior

3 months

EvenBetter v2.0 released! Changelog: - Quick Decode: new feature that allows you to quickly decode text just by selecting or hovering over it on the Replay page - Send to Match & Replace: new context menu button page that allows you to quickly send

2

10

64

2

13

82

bebiks

@bebiksior

8 months

The first bug in October got triaged & rewarded. It's on a public program on H1, will try to disclose it :-)

8

3

74

bebiks

@bebiksior

23 days

@Hacker0x01 just a reminder: it's important to remember that there are times when things slow down. The first few months of 2024 were super tough for me in terms of bug bounties, I was super unmotivated and was feeling pretty rough. It's all part of the game, so staying persistent is key :D

2

5

74

bebiks

@bebiksior

8 months

I earned $4,000 for my submission on @bugcrowd #ItTakesACrowd Stored XSS :)

bebiks on Bugcrowd

View bebiks’s researcher profile on Bugcrowd, a platform and team of experts connecting organizations to a global crowd of trusted security researchers.

bugcrowd.com

5

3

68

bebiks

@bebiksior

3 months

EvenBetter v2.0 released! Changelog: - Quick Decode: new feature that allows you to quickly decode text just by selecting or hovering over it on the Replay page - Send to Match & Replace: new context menu button page that allows you to quickly send

bebiks

@bebiksior

3 months

EvenBetter v1.7 is out! Changelog v1.7: New EvenBetter Library tab! Install workflows into your Caido project with a single click.

1

4

30

2

10

64

bebiks

@bebiksior

8 months

just found CSRF leading to ATO, life is gooooddddd

4

0

61

bebiks

@bebiksior

1 year

Yay, I was awarded a $900 bounty on @Hacker0x01 ! #TogetherWeHitHarder

HackerOne profile - bebiks

¯\_(ツ)_/¯ - http://ssrf.cvssadvisor.com/

hackerone.com

1

49

bebiks

@bebiksior

4 months

Here's how to integrate PwnFox support with EvenBetter v1.5 and Caido's new passive workflows! 1. Download the PwnFox Support Workflow JSON file from 2. Within Caido, navigate to the Workflows page. 3. Import the downloaded file. 4. That's it! Your Caido

4

5

46

bebiks

@bebiksior

2 months

EvenBetter v2.2 is out! Changelog: - Drop all: Added "Drop all" button to the Intercept page. Thanks to @sw33tLie for the idea and code! - Bug fixes: Fixed issues with Caido v0.34.1

bebiks

@bebiksior

3 months

EvenBetter v2.1 is out!! Changelog: - Quick SSRF: Quickly create new SSRF testing instance and view interactions on the new sidebar page. Now supports `` and `` - Quick Decode Enhancement: You can now edit

2

13

82

2

7

43

bebiks

@bebiksior

4 months

This @CaidoIO release is 🔥 Here's an example of what you can do with it

Caido

@CaidoIO

4 months

🎨 New release: You can now customize the Caido UI with custom CSS and JS! We've also added column hiding and re-ordering in the Intercept, HTTP History, Search, and Sitemap tables. Plus, we've added a few community-requested shortcuts 🎉

4

14

94

1

38

bebiks

@bebiksior

2 months

EvenBetter v2.3 is out! … … 𝗘𝘃𝗲𝗻𝗕𝗲𝘁𝘁𝗲𝗿: 𝗘𝘅𝘁𝗲𝗻𝘀𝗶𝗼𝗻𝘀 is now available! 🎉 Now, EvenBetter should be installed through the new EvenBetterExtensions plugin. This will allow us to keep the main EvenBetter plugin

4

5

37

bebiks

@bebiksior

4 months

Just pushed a new update, check it out! :D - Implemented colors for HTTP History rows! If your HTTP request includes the parameter `_color=red`, its background will now be set to red. (it also supports other colors :D) - Resolved the Caido UI issue

bebiks

@bebiksior

4 months

This @CaidoIO release is 🔥 Here's an example of what you can do with it

1

38

5

2

37

bebiks

@bebiksior

1 year

Yay, I was awarded a $500 bounty on @Hacker0x01 ! #TogetherWeHitHarder

HackerOne profile - bebiks

¯\_(ツ)_/¯ - http://ssrf.cvssadvisor.com/

hackerone.com

0

35

bebiks

@bebiksior

9 months

Yay, I was awarded a $1,000 bounty on @Hacker0x01 ! TIP: monitor your target 🫡 #TogetherWeHitHarder

HackerOne profile - bebiks

¯\_(ツ)_/¯ - http://ssrf.cvssadvisor.com/

hackerone.com

3

1

34

bebiks

@bebiksior

6 months

@h4x0r_dz thanks! yup, got it. used PostgreSQL ASCII function with LEFT and RIGHT functions :D

3

2

34

bebiks

@bebiksior

2 months

@monkehack thanks for the shoutout! it means so much! I really enjoy creating tools for everyone. I hope y'all find them helpful : D if anyone has any tool ideas, feel free to DM me!

4

0

33

bebiks

@bebiksior

7 months

I'm curious about the community's perspective on this. Should I mediate for High severity? The potential attacker could: - view survey responses - emails - add new inputs (f.e. password)

publiclyDisclosed

@disclosedh1

7 months

HackerOne disclosed a bug submitted by @bebiksior : - Bounty: $2,500 #hackerone #bugbounty

19

21

165

10

0

32

bebiks

@bebiksior

9 months

@Hacker0x01 it was 2FA bypass: "key":"123456" -> 403 "key":"true" -> 403 "key":true -> 200 OK :-)

2

10

31

bebiks

@bebiksior

4 months

EvenBetter v1.4 is out! 🎉 Changelog: - Exporting/Importing Workflows: You can now share workflows with your team! - Added a popup if you are using an outdated EvenBetter version. - EvenBetter settings UI has been reworked once again. - Fixed EvenBetter issue in the latest

bebiks

@bebiksior

4 months

EvenBetter v1.3 is out! Changelog: - v1.3: [BETA] Exporting/Importing Scope Presets: You can now share your scope presets with your team by exporting and importing them. Note that while this feature is in BETA, it should mostly work well, though there might be some UI issues. -

2

17

1

3

30

bebiks

@bebiksior

11 months

We've got around 20 escalation techniques, most for XSS. You can contribute your ideas by clicking "Want to contribute?" I already added 5 new escalation techniques :-)

Justin Gardner

@Rhynorater

11 months

Last week @0xteknogeek mentioned on the pod that it would be cool to have a CVSS Calculator that helps you escalate your bugs. @bebiksior , an awesome member of the @ctbbpodcast community, built this: Check out it out and submit some escalations!

3

18

95

0

5

29

bebiks

@bebiksior

3 months

EvenBetter v1.7 is out! Changelog v1.7: New EvenBetter Library tab! Install workflows into your Caido project with a single click.

1

4

30

bebiks

@bebiksior

4 months

EvenBetter v1.5 released! Changelog v1.5: You can now highlight any row on HTTP History page! Simply right-click on any request and select Highlight row :D v1.5: Fixed some EvenBetter-specific bugs and overall stability. v1.5: Fixed the Import button on

bebiks

@bebiksior

4 months

Just pushed a small patch Changelog v1.41: Fixed issue with Colorize HTTP in the latest Caido release.

0

1

4

2

3

26

bebiks

@bebiksior

8 months

@gregxsunday I have my own highly customizable JS monitoring tool that uses to extract strings. To reduce noise, I don't monitor changes in plain JS files; instead, I extract strings and then monitor them.

2

22

bebiks

@bebiksior

4 months

EvenBetter is now compatible with PwnFox. You will have to use this slightly modified version of it: Also, I've added integration. Type `$ssrfinstance` within the request body in the Replay tab, and it will automatically be

GitHub - bebiksior/PwnFox-CaidoCompatible: PwnFox is a Firefox/Caido extension that provide usefull...

PwnFox is a Firefox/Caido extension that provide usefull tools for your security audit. - bebiksior/PwnFox-CaidoCompatible

github.com

bebiks

@bebiksior

4 months

Just pushed a new update, check it out! :D - Implemented colors for HTTP History rows! If your HTTP request includes the parameter `_color=red`, its background will now be set to red. (it also supports other colors :D) - Resolved the Caido UI issue

5

2

37

2

22

bebiks

@bebiksior

9 months

Yay, I was awarded a $1,750 bounty on @Hacker0x01 ! #TogetherWeHitHarder

HackerOne profile - bebiks

¯\_(ツ)_/¯ - http://ssrf.cvssadvisor.com/

hackerone.com

4

2

20

bebiks

@bebiksior

7 months

@BlankJinn @disclosedh1 thanks! i use my own tool for JS monitoring :-) check out @alex_vec blog post about monitoring JS files

Monitoring JavaScript files for bug hunting

Understanding JS Client-Side

alexvec.github.io

2

20

bebiks

@bebiksior

4 months

EvenBetter v1.2 has released! Check it out :D Even more themes! You can now choose the theme for your Caido UI and enable/disable some EvenBetter features. Themes in v1.2: - Even Darker - Caido Default - Gray - Ocean Blue - Solarized - Black Feel free to create even better

bebiks

@bebiksior

4 months

EvenBetter is now compatible with PwnFox. You will have to use this slightly modified version of it: Also, I've added integration. Type `$ssrfinstance` within the request body in the Replay tab, and it will automatically be

2

22

2

20

bebiks

@bebiksior

2 months

sw33tLie

@sw33tLie

2 months

👀 cc: @bebiksior #bugbounty

4

1

44

2

0

19

bebiks

@bebiksior

4 months

@CaidoIO just released passive workflows! 🎉 This update is awesome :D Now, you can use the original PwnFox with Caido passive workflows to colorize rows in the HTTP History tab. The upcoming EvenBetter update will replace the HTTP Colorize feature with a simple tutorial on

0

18

bebiks

@bebiksior

4 months

EvenBetter v1.3 is out! Changelog: - v1.3: [BETA] Exporting/Importing Scope Presets: You can now share your scope presets with your team by exporting and importing them. Note that while this feature is in BETA, it should mostly work well, though there might be some UI issues. -

bebiks

@bebiksior

4 months

EvenBetter v1.2 has released! Check it out :D Even more themes! You can now choose the theme for your Caido UI and enable/disable some EvenBetter features. Themes in v1.2: - Even Darker - Caido Default - Gray - Ocean Blue - Solarized - Black Feel free to create even better

2

20

2

17

bebiks

@bebiksior

8 months

disclosed :)

HackerOne disclosed on HackerOne: IDOR vulnerability in unreleased...

**Summary:** Hello HackerOne security team :-) For a while now I have been monitoring H1 js files. I've just noticed some new GraphQL queries about `HackerOne Copilot`. While this feature has not...

hackerone.com

2

17

bebiks

@bebiksior

11 months

@HusseiN98D I was also able to bypass ssrf whitelist filter using emojis although I can only send POST requests :-(( then I found a way to send GET request but only via https so I wasn't able to read cloud metadata :-(((

1

0

15

bebiks

@bebiksior

3 months

@ajxchapman @CaidoIO Check out EvenBetter, it improves some parts of Caido : D

GitHub - bebiksior/EvenBetter: EvenBetter is a frontend Caido plugin that makes the Caido experie...

EvenBetter is a frontend Caido plugin that makes the Caido experience even better 😎 - bebiksior/EvenBetter

github.com

2

1

14

bebiks

@bebiksior

3 months

Another great release! Cooking EvenBetter v2.1 :D

Caido

@CaidoIO

3 months

📝 Introducing "Findings" Release v0.34.0 is out with a new "Create Finding" workflow node. Flag interesting requests and make your own passive scanner rules, such as: - Source code disclosure - Software version disclosure - Credit card/email/IP disclosure

11

32

239

1

13

bebiks

@bebiksior

1 month

New EvenBetter releases! 🎉 EvenBetterExtensions v1.0 -> v1.1 EvenBetterAPI v1.1 -> v1.2 EvenBetter v2.3 -> v2.31 Changelog - Fixed compatibility issues with Caido v0.36.0 - Added Fira Code font to the font picker - Fixed issue: Prevent text formatting in the quick decode box

1

0

12

bebiks

@bebiksior

8 months

🎉

1

0

12

bebiks

@bebiksior

7 months

Absolutely recommend it! Great people and lots of cool stuff. Join in! 🫡

Justin Gardner

@Rhynorater

7 months

We launched the discord for @ctbbpodcast this morning - already a lot of good convos going on! Also, all the past pod guests are already in there, so hop in and get in on that conversation!

4

23

124

0

1

11

bebiks

@bebiksior

3 months

EvenBetter v1.6 released! 🎉 This update is focused on compatibility with the latest Caido release and improving code. Changelog: v1.6: Rearrange arrows now only appear on hover. Thanks to familiardisaster for contributing this improvement :D v1.6: Fixed Scope Share

bebiks

@bebiksior

4 months

EvenBetter v1.5 released! Changelog v1.5: You can now highlight any row on HTTP History page! Simply right-click on any request and select Highlight row :D v1.5: Fixed some EvenBetter-specific bugs and overall stability. v1.5: Fixed the Import button on

2

3

26

2

1

11

bebiks

@bebiksior

7 months

Huge thanks to @Rhynorater and @0xteknogeek for hosting the CTBB podcast, and a shoutout to @InsiderPhD for the videos that introduced me to API hacking!

1

10

bebiks

@bebiksior

7 months

@Rhynorater @0xteknogeek @InsiderPhD

1

10

bebiks

@bebiksior

7 months

Jump straight into SSRF testing without server setup trouble. Totally free. Full HTTP response control - modify the HTTP response to fit your test scenario. Great tool for those trickier SSRF challenges. Share your stories! ✌️

0

8

bebiks

@bebiksior

4 months

Is there anything you would like to see in EvenBetter? Let me know! :D

4

1

8

bebiks

@bebiksior

11 months

@alicanact60 @NahamSec @ajxchapman @shm0ul CONGRATS!!

0

bebiks

@bebiksior

23 days

@dmxjon @Hacker0x01 very simple IDOR : D

1

0

8

bebiks

@bebiksior

2 months

@H4cktus @Hacker0x01 @rez0__ Congrats!! I guess my report is a dupe haha

1

0

7

bebiks

@bebiksior

2 months

great episode!!

Critical Thinking - Bug Bounty Podcast

@ctbbpodcast

2 months

Episode (binary) 1000000 (64) is up! This week we're covering .NET Remoting, attacking CDNs (or websites VIA CDNs), and the psychology around attacking the main app. Enjoy!

1

7

43

1

0

7

bebiks

@bebiksior

3 months

Such a great update! EvenBetter update soon 🔜

Caido

@CaidoIO

3 months

🎉 v0.32.1 is out with a new shell node for passive workflows! Run bash/zsh/cmd/powershell commands when a request or response is intercepted. This was a highly requested feature following the release of passive workflows. More nodes will be included in the upcoming weeks.

4

17

123

1

0

7

bebiks

@bebiksior

7 months

@fattselimi @Hacker0x01 ✌️

1

0

6

bebiks

@bebiksior

7 months

@xnl_h4ck3r @ctbbpodcast @renniepak idea: add the "Show hidden elements" button to the right-click context menu

Chrome extension — How to use contextMenus API

Prerequisite: this project originates from the chrome extension — Notifications API

medium.com

2

0

7

bebiks

@bebiksior

1 month

@h4x0r_dz @Burp_Suite check out @CaidoIO . it's way better than burp

3

0

7

bebiks

@bebiksior

4 months

@nahuelrm_ Congrats man!

1

0

6

bebiks

@bebiksior

1 year

I love Burp Suite, but it sometimes feels really slow. We need custom extensions support on @CaidoIO & developers who will rewrite some extensioms like Autorize or GAP on Caido. #bugbounty #hackerone #bugcrowd

2

0

5

bebiks

@bebiksior

4 months

@0xdef1ant @Hacker0x01 🔥

1

0

5

bebiks

@bebiksior

4 months

@_0x999 @TomNomNom Great job, dude! Looks awesome. Are you planning a @CaidoIO version of it when they add the plugins system?

1

0

5

bebiks

@bebiksior

4 months

@ctbbpodcast Great episode!

1

0

5

bebiks

@bebiksior

7 months

🤔

3

1

5

bebiks

@bebiksior

6 months

@h4x0r_dz @CaidoIO i fully switched to Caido, it's great :D

1

0

5

bebiks

@bebiksior

3 years

0

1

5

bebiks

@bebiksior

4 months

GitHub - bebiksior/EvenBetter: EvenBetter is a frontend Caido plugin that makes the Caido experie...

EvenBetter is a frontend Caido plugin that makes the Caido experience even better 😎 - bebiksior/EvenBetter

github.com

0

4

bebiks

@bebiksior

1 year

@hakluke maybe this will help :-)

1

2

4

bebiks

@bebiksior

7 months

@njcve_

GitHub - pwnwriter/haylxon: ⚡ Blazing-fast tool to grab screenshots of your domain list right from...

⚡ Blazing-fast tool to grab screenshots of your domain list right from terminal. - GitHub - pwnwriter/haylxon: ⚡ Blazing-fast tool to grab screenshots of your domain list right from terminal.

github.com

0

2

4

bebiks

@bebiksior

3 months

Also, the TODO list for EvenBetter is now public at . If you'd like to request a feature or report a bug, please create a GitHub Issue :D

1

0

4

bebiks

@bebiksior

8 months

@hbenja_m my JS monitoring tool detected new link in one of chunk files :)

3

0

4

bebiks

@bebiksior

2 months

@rez0__ @monkehack I'm good, thanks, dude! your support by using the tools is all I need : D

0

4

bebiks

@bebiksior

7 months

great writeup!

0xrz

@omidxrz

7 months

I just published a write-up about an account takeover where I abused reverse proxy to hijack the OAuth Code.

19

156

527

0

4

bebiks

@bebiksior

4 months

Just pushed a small patch Changelog v1.41: Fixed issue with Colorize HTTP in the latest Caido release.

GitHub - bebiksior/EvenBetter: EvenBetter is a frontend Caido plugin that makes the Caido experie...

EvenBetter is a frontend Caido plugin that makes the Caido experience even better 😎 - bebiksior/EvenBetter

github.com

0

1

4

bebiks

@bebiksior

2 months

0

1

4

bebiks

@bebiksior

25 days

@NahamSec great video Ben, we needed this

0

4

bebiks

@bebiksior

1 year

Yay, I was awarded a $1,500 bounty on @Hacker0x01 ! Log4J CVE :) #TogetherWeHitHarder

HackerOne profile - bebiks

¯\_(ツ)_/¯ - http://ssrf.cvssadvisor.com/

hackerone.com

0

4

bebiks

@bebiksior

10 months

Just got back to using @trick3st and it's been super helpful! I can even manage some recon tasks from my phone now using their dashboard at . Give it a try! #bugbounty

0

2

3

bebiks

@bebiksior

4 months

@nav1n0x Congrats!

1

0

3

bebiks

@bebiksior

3 months

Just pushed v1.61. Fixed compatibility issues with EvenBetter v1.6 on Safari and Firefox browsers. Sorry for that!

0

3

bebiks

@bebiksior

29 days

@mikey96_bh Good luck!

0

3

bebiks

@bebiksior

6 months

@Rmyada1

bebiks

@bebiksior

6 months

While digging into a web app, I spotted a request with `&sort=DESC` in my proxy. It raised a flag since SQL can sort using `ORDER BY DESC`. Threw in a simple ', and the server threw a 500 Internal Server Error. Went deeper, and tried `DESC LIMIT 1 --` and got a single result.

11

25

253

0

3

bebiks

@bebiksior

3 years

@Ajronek Pog

0

3

bebiks