X0Dzeko

What if I told you that a seemingly secure endpoint returning 403 Forbidden could still expose another user's data? In my latest video, I demonstrate a lesser-known IDOR bypass technique that can sometimes slip past authorization mitigations implemented by developers. You'll see: • A practical exploitation demo • Why the mitigation fails • A source code walkthrough • The underlying security concepts behind the issue • How developers can properly fix it One of the biggest mistakes in web application security is assuming that a blocked request automatically means the underlying authorization logic is secure. This video shows why that's not always the case. Watch here: youtu.be/lUqj1ekvf1E

Might help :xD! github.com/4osp3l/Main-Ap…

🚨Bug bounty hunters - radar.jsmon.sh is live! Free Vertical Reconnaissance on any target. Headers, JS files, endpoints, secrets, GraphQL operations, parameters, cloud assets, all in one place. Retweet to share it with the security community!

كان معايا واحد في الشغل حقيقي كل كلمه كان بيقولها ب نكته كل كلمه بيقولها بتضحكنا، دمه خفيف لدرجه انه كان فعلا مبيبطلش يخلينا نضحك فاكره مره جه الشيفت لقيته بيقولي انا عاوز احكيلك حاجه قولتله اتفضل، قالي انا امبارح اتشخصت أن عندي اكتئاب

From Debugging to Hacking: Using Chrome DevTools Like a Bug Hunter securitytalent.medium.com/from-debugging… #bugbounty #bugbountytips #bugbountytip

Someone made a website that discloses every scam done by a bug bounty program bugbountyscam.com

Time-Based Blind SQL Injection in Dataapps UUID Pro Tip: Don't just test UUIDs for IDOR, they're often unparameterized DB inputs. That makes them prime SQLi candidates. #penetrationtesting #cybersecurity #bugbounty

DARKWEB & DATA BREACH OSINT Tor, IP2, FreeNet and other platforms Clearnet and onion search engines How to scrape Darkweb Darkweb news Tutorials, web sites and blogs start.me/p/xjvDyJ/dark-…

🚨 New Writeup Alert! 🚨 "I Pentested a Real CRM System and Found 4 Critical Vulnerabilities — Here’s the Full Attack Chain" by Shikhali Jamalzade is now live on IW! Check it out here: infosecwriteups.com/98c030a57ab1 #penetrationtesting #writeup #bugbounty #webpenetrationtesting #cybersecurity

@Bugcrowd @GodfatherOrwa

If your hands are full of PoCs, payloads, and half-finished writeups… Ours are full of Bugcrowd swag for you 🎁🧡 Tag a hacker who’s been working hard lately. We’ll randomly pick two of you to each win a Bugcrowd t-shirt!

LLMs are becoming integral to #BugBounty workflows – but without real human expertise, the result is just AI slop 🗑️ Our latest guide covers agentic CLIs, MCP servers and why manual PoC validation is still non-negotiable 👇 yeswehack.com/learn-bug-boun…

Drupal CVE-2026-9082 Blind SQL Injection Checker 👾💉 🔗 github.com/N45HT/drupal-c… 🔗 cve.org/CVERecord?id=C… 🔗 slcyber.io/research-cente…

Subdomain brute-forcing is only useful if your results are clean and trustworthy. That’s where puredns shines. ⭐ github.com/d3mondev/pured… #BugBounty #Recon #CyberSecurity #Infosec

150+ red teaming tools and resources github.com/A-poc/RedTeam-…

🕵️‍♂️ graphql-cop: Automated Security Auditing for GraphQL APIs I came across graphql-cop, a Python 🐍 tool that automatically tests GraphQL endpoints for common vulnerabilities. It helps security researchers quickly identify misconfigurations without manually crafting attack queries. 🔍 What it detects: 🧠 Introspection exposure (schema leaks) ⚡ Alias overloading & batching abuse (DoS vectors) 🐛 Debug/tracing modes left enabled 🌐 GET-based query execution (CSRF risks) 💡 Field suggestion leaks & misconfigurations For bug bounty hunters 🏴‍☠️ and pentesters, tools like this provide a fast baseline of GraphQL-specific attack surfaces. But remember—automated scanning is just the first step. The real impact comes from manual testing of authorization logic, query complexity, and business logic flaws 🎯 📦 Source: github.com/dolevf/graphql… #BugBounty #GraphQL #APIsecurity #AppSec #InfoSec

How I Discovered 23,000 Leaked Records Through Google Dorking @mrx_w_/how-i-discovered-23-000-leaked-records-through-google-dorking-7894df815109" target="_blank" rel="nofollow noopener">medium.com/@mrx_w_/how-i-… #bugbounty #bugbountytips #bugbountytip

🧠 Bug Bounty in 2025: Hunting Business Logic Flaws the Right Way @kailasv678/bug-bounty-in-2025-hunting-business-logic-flaws-the-right-way-614aba550f7b" target="_blank" rel="nofollow noopener">medium.com/@kailasv678/bu…

My First 150 Days Bug Bounty Hunting @YourFinalSin/my-first-150-days-bug-bounty-hunting-034623c89836" target="_blank" rel="nofollow noopener">medium.com/@YourFinalSin/…

🚨 SSRF in Next.js Apps – Interesting Research If you're testing modern web apps, this is a great read from Assetnote on how SSRF can appear in Next.js applications. Key attack surfaces they discuss: 🔹 /_next/image endpoint 🔹 Redirect-based bypass tricks 🔹 Server Actions behavior 🔹 Host header manipulation Modern frameworks = new bug hunting opportunities. 🕵️‍♂️ 🔗 assetnote.io/resources/rese… #BugBounty #AppSec #WebSecurity #NextJS #SSRF

Google Dorks for Bug Bounty Hunting: 25 Powerful Dorks to Find Exposed PDFs, NDAs, and Signatures @hackersatty/google-dorks-for-bug-bounty-hunting-25-powerful-dorks-to-find-exposed-pdfs-ndas-and-signatures-cf8c54e19189" target="_blank" rel="nofollow noopener">medium.com/@hackersatty/g…