After a long day of trying and failing to find vulnerabilities on the Verizon Media bug bounty program I decided to call it quits and do some chores. I needed to buy gifts for a friends birthday and went online to order a Starbucks gift card.

👋 Hi, I’m Mehboob Khan, a Computer Science & Engineering graduate (2023). I’m obsessed with understanding how technology ticks and love bypassing logic to uncover hidden vulnerabilities. 🔍💻 As a…

What Is GraphQL API and how does it work? This article explains the common vulnerabilities and attacks on this type of system and security tips to secure APIs.

Time-Based Blind SQL Injection In GraphQL

The “sortc” parameter in the https://t.co/NrK100JSe5 endpoint was vulnerable to a SQL injection.

1) Login to the website.
2) Intercept the following request:
3) In the request body, add “OR SLEEP(20)” in sortc…

For the past few years, security research has been something I’ve done in my spare time. I know there are people that make a living off of bug bounty programs, but I’ve personally just spent a few hours here and there whenever I feel like it.

Browse guides written to help you with your bug bounty hunt. Learn various tips, tricks and techniques and begin finding more bugs

Millions of Americans can have their data stolen right now because of a deficiency in Google’s “Sign in with Google” authentication flow. If you’ve worked for a startup in the past - especially one that has since shut down - you might be vulnerable.