Bank offer IDOR Fix Bypassed: How I Accessed Unauthorized Offers and Secured a $10,000 Bounty — @bxmbn Summary: I discovered a new weakness in the offer retrieval functionality that allows an …

Picture a platform designed to handle sensitive documentation — think insurance claims or identity verification — turning into a goldmine…

Companies often provide various login methods for users to authenticate their accounts.

Over the past year, CSPT bugs have gained significant attention, with numerous blogs and disclosed reports highlighting their impact…

To provide users with a safer browsing experience, the IETF proposal named “Incrementally Better Cookies” set in motion a few important changes to address Cross-Site Request Forgery (CSRF) and other client-side issues. Soon after, Chrome and other major browsers…

Hi, amazing hackers! I hope you're doing well.In this article, I’ll share my learning process and experiences in finding multiple vulnerabilities in GraphQL APIs application.
In February, I started learning GraphQL API security using the book Black H...

Pentesting web applications thoroughly requires you to analyze their JavaScript. I’ve summarized my knowledge from 5 years of pentests into this blog post.

🚨 Just dropped Eye Of Ra on GitHub!
Track bug bounty programs across HackerOne, Bugcrowd(WIP), Intigriti(WIP) & YesWeHack(WIP) with live updates + Discord alerts 📡💥

Open source & ready to hunt
🔗 https://t.co/gtGFdZBzOt

#bugbounty #infosec #hackerone #bugcrowd…

When you use "Tagged Templates" (e.g, alert`123`), JavaScript passes something like this to the function:
alert(["123"])
NOTE: Since alert uses "toString" on the given parameter, it becomes ["123"].toString() and then "123".

Hello guys, today I’m gonna explain how I got IDOR and exploit it to make account takeover.

TL;DR I discovered a one-click account takeover vulnerability in a popular Indonesian Android app called Tokopedia . Th...

TL;DR