Logan Sec

Hey #infosec 👋 I’m Logan, an aspiring penetration tester & bug bounty hunter. I’ll be sharing my journey, tools I build, and lessons I learn along the way. 🎯 Goal: Land a pentesting job by 2026. Follow along 🚀 #BugBounty #PenTest

@vuln_X This is exactly why IDOR testing shouldn’t stop at user_id=123. Test nested objects, arrays, duplicated keys, JSON type changes, and places where auth checks one value but the backend logic later trusts another. That mismatch is where the real bugs show up.

Bug Bounty tip 🧵 Don't just swap IDs — wrap them. ❌ {"Account": 1111} ✅ {"Account": {"Account": 3333}} Auth validates the outer key. Business logic executes the inner one. Scanners miss it. You won't. #BugBounty #IDOR #APIHacking

Most bug bounty hunters don’t quit because they’re dumb. They quit because they hunt alone, get buried in duplicates/informatives, and have nobody to help them figure out what’s signal vs noise. That’s the part people don’t talk about enough. #bugbounty

@HackenProof Exactly

@LoganOpSec At some point the tab has to close and the hunt has to start 😄

@gabbytech01 Appreciate it. Business logic is the category where “understanding the app” matters more than memorizing payloads. That’s also why I think AI helps, but doesn’t replace the manual reasoning side.

@LoganOpSec Hmm I like how you put this

Bug bounty hunters and Security Researchers, we will like to know, what is the hardest bug to find in a web application ?

@teryanarmenn AI massively increases the odds of finding a bug, but defense still has to deal with the brutal part: coverage. Attackers only need one missed edge case. Defenders have to reason through the whole system, the assumptions between components, and the weird business logic.

Here's what's happening with AI and security. Basically, AI makes it much easier to find a single bug in any given code base, 10-100x easier. It makes any given engineer ten times better at hacking, if not more. What it doesn't do is make it easier to find every single bug. There are still a few bugs that require manual work. The manual work takes a similar amount of time as it did before AI. Maybe you get a 10% to 20% efficiency gain, but not more. Now you got these people that realize, "Hey, AI has made me ten to a hundred times better at hacking." Why should security work take the same amount of time? Shouldn't it be half the time, 10% of the time? The reality is that you need a similar amount of time as pre-AI, because a researcher’s job is not to find one bug, it’s to find every single bug. That just takes the same amount of work as before. We don't have a system to find every single bug yet. So now we're in the most vulnerable time, since preventing a hack requires you to find every single bug. Hacking requires you to find one bug. Prevention has stayed the same difficulty, while hacking has gotten 10 to 100x easier. That's why all these protocols are getting hacked. Security is hard right now. It's the hardest it's ever been.

@rez0__ I disagree with you, people should agree with everything you say; like I do!

When it comes to my tweets and also the pod, my goal is to bring you the truth and my opinion on things that are true. People dont have to agree with me. And that doesn’t offend me. Discourse is good. That is all.

@Jalwan0x1 @Bugcrowd Congrats, can you walk me through how you found this Blind Stored XSS? I've been more heavily focusing on Client-Side Bugs recently.

I earned $2,000 for my submission on @bugcrowd bugcrowd.com/h/{id: "jalwan1"} #ItTakesACrowd

@0xOmeiza @intigriti I do have a YouTube channel called LoganSec. I've never promoted it on X before tho.

@LoganOpSec @intigriti are you the YouTuber?

🔁 Business logic vulnerabilities remain one of the most overlooked attack vectors! 🧐 Unlike most injection vulnerabilities that can be automated, logic flaws emerge from the gap between how developers expect systems to behave and how attackers can manipulate them! 🤠 Our comprehensive guide covers identifying and exploiting logic errors that can lead to broken access controls, injection attacks, and cryptographic bypasses! 😎 Read the full article today👇 intigriti.com/researchers/bl…

@payloadartist The only and best alternative is just recon scripts + manual hacking

What's the next best alternative to Claude for hard core hacking?

Been going deeper into JS recon. Not just dumping endpoints. Reading the JS to understand routes, API paths, feature flags, role checks, and client-side validation. JS recon shows how the app thinks. Automation extracts. Manual logic finds bugs. #bugbounty #bugbountytips

@Itx_Shad0w Usually when I start hunting on a new target. The only real plan is to understand the app and take notes. After that I add more structure.

No methodology No Strategy Just raw hunting.

@cvetanovv0 Biggest thing I’d add: don’t just “learn security” in theory. Pick real targets/labs, take notes, write reports, and build pattern recognition through reps. That’s where the skill actually starts compounding.

A lot of people ask me how to become a Security Researcher. Here are 4 steps you can take 👇

I reported a bug 2 days ago, result? It was a Dup, a hunter reported 2 minutes before me 😭 That is actually so funny. #bugbounty

@HackenProof A pursuit of mastery

Continue the sentence: Bug Bounty isn't just a job, it's…

@Joyerz5 Me, manual hunting has become underrated lol. I had my super ai phase.

Who is hacking manually still?

@DamianS1 @intigriti My terminal background is black.

@intigriti Take your time and log every byte—meticulous notes are a hunter's best friend. Don't let a 403 Forbidden dampen your spirits; stay locked in on your values and keep your hat as white as your terminal background. Ethics aren't just a suggestion—they're the code you live by!

Top hackers! Share 1 #bugbountytip with your fellow bug bounty beginners to help them submit more valid reports. Go! 👇

@HackenProof That’s me after submission