How I Hacked A REAL Website With DeepSeek In 8 Minutes

Indexado: 2026-05-21

[00:00:00]Check this out. I recently, or 3 days ago, reported a vulnerability which DeepSea, believe it or not, helped me found. This is the actual chat. I can't really show too much of it because here I disclose the name of this program, but either way, it was rewarded with $800 for this issue, and it took me around 8 minutes to find. So, in today's video, we're going to go over what this issue was, how you can find it as well, and I'm going to explain how it worked.

[00:00:22]We're not really going to talk too much about DeepSea for this video because I seem to I seem to see you guys dislike AI, and honestly, it is kind of scary.

[00:00:31]So, we're just going to go briefly over this and explain in detail what's going on on this website. Hello everybody, and welcome back to a brand new Daddy Overflow video. If you're new here, this is the first impression of me. I'm very sorry, but a lot of these tech YouTubers and a lot of the people in the cybersecurity space tend to be monotone when they're recording the videos. I dislike that. I despise it. I just want to bring the good energy. So, if you could bring also good energy, please click subscribe. You're very welcome here. I do a lot of cybersecurity content, so I think you're going to like it. We do basically anything from how hackers technically get anything for free to how hackers bypass input validation. Everything is on my channel.

[00:01:08]I think you're going to love all these videos. Now, uh yeah, without further ado, like today's video, comment down below something. Try to make me not answer your comment because I'll be answering everyone's comment, and the person who doesn't get a reply from me gets a free back massage. So, let's go with the video. Bravo. But before we get started with the video, if you want to be a person sending me videos like these, this is this has been sent to me from one of my students. Uh this is a cheat he made, and if you want to make cheats like these, then check out my course. It is currently in the description box below. It's currently also on 80% discount, so I think it's definitely worth checking it out. And I'm so confident that you're going to love this, and I'm so confident that you're going to enjoy this, I actually gave away the offset for the local player array on the front page of the course. You can basically check this out, copy the offset, verify yourself.

[00:01:53]As you can see on the screen, this is the memory list, or an array of players currently in the memory. The The player pawn represents a player. So, I think it's really cool. Check it out. I also have a bug bounty course, if you're interested, as somebody who have found who has found Windows remote code execution vulnerability. It's also in the description. It's also in discounts.

[00:02:09]Now, let's go with the video.

[00:02:14]Oy. So, um I'm out of breath. I'm sorry.

[00:02:17]I don't know what's going on with me.

[00:02:19]I'm so out of shape that I'm out of breath.

[00:02:21]I'm just kidding. So, basically, this was essentially the vulnerability. And now, a lot of people are going to be like, "Oh, this is the dumbest [ __ ] bro." But, I showed you I I I showed you that it earned money, so it works. If it works, it works. So, this is the basic password reset poisoning. You might have read the title from the report, so I'm just going to basically roll with it.

[00:02:39]So, when I first came on the website, I was shocked to see how simple it was. It wasn't Actually, this seems more complicated than that website. I basically wanted to leave it, but either way, I'm dropping too much knowledge on there what the website was. So, basically, you land on the website I had DeepSeek opened, and I told him I'm doing bug bounty. And thank god DeepSeek has no filters, because DeepSeek can just basically go in there and solve the whole thing. So, of course, I was explaining what to do, and I told him, "This is This is the website I'm trying to, you know, find bug on." And I always like to go for password resets.

[00:03:12]That was essentially why this was a very quick one. And why it also why DeepSeek also didn't have any trouble looking for somewhere else. I basically pinpointed, "Hey, we're just looking for password reset issues." So, essentially, this right over here is my email client, and this is my email. So, we can just essentially just copy this over here and click it, paste it here, and click submit. And now, we we requested a password reset for our accounts. We can hit refresh here, and there we go. Hello, please follow the link below to reset your password. And that's the link. Thanks, support team.

[00:03:41]So, basically, this was essentially the exact same functionality every single website uses it, but there was a big problem on this.

[00:03:47]And DeepSeek helped me found it. So, basically, I asked DeepSeek what the vulnerability should be there. Can I please Can you please let me know what can arise from this?" And I was hoping to make a video out of it. So, that's why I went with DeepSeek. Otherwise, I do it without AI. I'm sorry. So, he told me about host header poisoning.

[00:04:06]And that is a very interesting one. See, let me actually capture the request here before I show you any before I go any further. Let's go back. I have to turn on the FoxyProxy. And I believe I have to refresh the page before I do this because the CSRF token might be invalid.

[00:04:20]So, let me paste in the email again.

[00:04:21]Click submit. And now I'm just going to disable the FoxyProxy. I'm going to go back to the Burp Suite to to HTTP history and just look for the post request. There it is. So, that's the one which which was basically submitting my email to the server.

[00:04:33]Send that to Repeater. And there we go.

[00:04:35]So, this is it. All right. So, this is essentially the request. You can click send and there it was. So, AI told me about host header poisoning. And I was like, "Okay, let me try that out." And believe it or not, that was that was a vulnerability. So, if that's my email, you can put also your username. It doesn't matter. You can also click here.

[00:04:55]I tried to put like just a two. I added like a two to the domain name from the host header. And I clicked send. And of course, I received a 200. I was like, "What the flip?" Uh I'm sorry.

[00:05:06]2016 In or 2016 is in me still. And I refreshed my email client on Gmail. And I saw "Wow, there is the two." So, that means my my stuff can end up here. Right. So, you might be wondering, "Why is this so bad?" Well, let me explain this to you.

[00:05:22]This is the access log for the exploit server. And let's say this is something I own. So, this is the my exploit server. And you can copy this, right?

[00:05:32]And this is the thing. You can actually paste in this header here completely all together like this and click send. And it will give you 200. Wow. Why did Why did this fire up? Anyways, that's the cheat for CS 2. I'm sorry. So, you saw it briefly. And if I refresh my email client now, you can see that this actually includes the exploit link. And if you open this now, as you can see, nothing happens. It just says resource not found because this is not valid. But over here in the logs, you can quite literally see that this is your token.

[00:06:04]So, this is how you can technically reset anyone's password, but they have to open the link. So, how would this exactly work is very simple. You need to essentially request a password reset for the victim. And the victim in this case is Carlos. So, let me just do that really quickly. So, Carlos is the victim's username. And we can just click send. And we see a 200 with the exploit server being the host header.

[00:06:30]And we can refresh this, right? And there it is. We actually see because the victim opened it because the victim is a brain-dead human being. I don't know.

[00:06:39]Okay, I'm being too harsh, but either way. So, you now you can paste this in, right? You can click enter.

[00:06:44]Uh not found because there is two slashes. So, you just have to be one.

[00:06:48]Boom. Now, let's put the password 1 2 3 4. 1 2 3 4. Click that. Submitting.

[00:06:53]So, no thanks. Go back to the account.

[00:06:56]And now log in as Carlos with 1 2 3 4 password. And there we go. We just hacked this account. Oh my god, it's so annoying. So, this was the vulnerability. And thanks to Deep Seek, or basically I could have found this myself probably, but Deep Seek was also there to help me out. So, I think if you have no idea what hacking is, what bug bounty is, what cybersecurity research is at all, you have you're aren't even a developer, I think AI is a great start to learn all of this. Of course, you're not going to be able to find a bug within the first month, but either way, it's definitely going to be super easy for you to just understand what you're doing because AI can explain this as if you were like a baby.

[00:07:34]And if you go to HackerOne overview, you can find many vulnerabilities here and essentially read what people have written. And most of them are resolved.

[00:07:40]Some of them are informative. The non-applicable one mean that this is [ __ ] just forget about it. Uh duplicates are also good. So, you can essentially just go ahead, read about this here, understand what the issue is, and okay, I do sell a course for how to get started with bug bounty, but I have to tell you that you can do all of that for free. But, if you want to save time, you can buy it, of course. It is in the description. But, bear in mind that you can do all of this for free. It's just takes some time for you to navigate through. I've done it for free, so you can do it, too. But, if you want to save time, of course, there are courses like mine. So, either way, I hope this video was informative enough for you to understand, and hopefully some of you who have been thinking about getting in bug bounty, but are are afraid to make a move, now it's your time because I can actually definitely help you out and be your personal teacher after all. So, yeah.

[00:08:25]Thank you so much for watching this little silly video. Hope you going to sub- hope you're going to subscribe to this channel.

[00:08:30]Uh I hope you're well. I hope you're safe. I hope you're healthy. And, as always, peace. But, make sure to be staying Make sure to be staying responsible. That's the most important thing. So, peace.

[00:08:40]Meow, meow, meow, meow.