Hey everyone, Today I’m excited to share a bug I discovered in a Bugcrowd VDP target involving Facebook login — and it led to full account…

OneForAll是一款功能强大的子域收集工具. Contribute to shmilylty/OneForAll development by creating an account on GitHub.

Disclaimer: This article is intended for security professionals conducting authorized testing within the scope of a contract. The author is not responsible for any damage caused by the application of the provided information. The distribution of malicious…

# Summary
The `embedded_submission_form_uuid` parameter in the `/graphql` endpoint was vulnerable to a SQL injection. This allowed an attacker to extract information from the public and secure...

Contribute to orwagodfather/WordList development by creating an account on GitHub.

In the world of online security, even a small oversight can lead to significant vulnerabilities.

### Summary
Normally a client can't access /admin directory because of front nginx server which returns 403. But we can use X-Rewrite-Url or X-original-url because back server processes these...

We initially became interested in the __VSTATE parameter after reading this article by graanl which we saw after reading this article from The Record about an APT group exploiting how it works.
What is a ViewState?

A ViewState is a parameter that contains…

A Full Technical Autopsy of a Critical Authorization Failure in a Major Payment Gateway

Good day :)

I hope your doing as well as can be during these difficult times.

I have found xss at 2 endpoints:

https://www.hackerone.com/resources/

and

https://resources.hackerone.com

The...

## Summary:
Reflected cross-site noscripting (or XSS) arises when an application receives data in an HTTP request and includes that data within the immediate response in an unsafe way.

##...

## Summary:

This report is similar to [#1180653](https://hackerone.com/reports/1180653), except with different parameter injection entrypoint.

SMTP server password configuration setting accepts...

Jarijaas has 43 repositories available. Follow their code on GitHub.

In June, 2025, Shubs Shah and I discovered a vulnerability in the online poker website ClubWPT Gold which would have allowed an attacker to fully access the core back office application that is used for all administrative site functionality.

Between the period of July 6th to October 6th myself, Brett Buerhaus, Ben Sadeghipour, Samuel Erb, and Tanner Barnes worked together and hacked on the Apple bug bounty program.

Jackpot, full arbitrary account takeover of any chess.com user!