Want to know how I discovered this vector? Read the blog...

https://t.co/RAKpV7hSes

TL;DR I discovered a one-click account takeover vulnerability in a popular Indonesian Android app called Tokopedia . Th...

Discover how a security loophole in Instagram's oEmbed feature enabled unauthorized access to private posts. Journey from BountyCon(Edu) to the vulnerability's discovery, exploitation, and resolution.

TL;DR

In Python, if dirty Arbitrary File Write (AFW) vulnerability exists in the application, it is possible to gain RCE via writing shared object files or overwriting bytecode files. It can be very powerful if you can only write files into the source code's directory…

Just found an interesting behavior in Firefox that can be used for XSS:
If a response lacks the Content-Type header, Firefox renders it as text/plain.
But if the URL ends with an extension like .html, Firefox treats it as that.
#bugbounty #bugbountytips

In every response, there is usually a response header called Content-Type that tells the browser the MIME type of the response, such as text/html or application/json.

Bypassing Source Check on postMessage to Achieve XSS While hunting on a bug bounty program, I found a page with an onmessage tracker handling cross-origin communication via the postMessage API. The…

Welcome to NahamCon 2025 — Live Stream

🗓️ May 21–22
🌐 100% Virtual & Free
📍 Streaming right here on YouTube + Twitch.tv/NahamSec

NahamCon is a two-day security conference bringing together hackers, researchers, and builders from around the world. Tune in…