ars4c

IDOR via JSON Arrays: If {"id": 123} is protected, try {"id": [123, 456]}. Some backends will process the second ID in the array without checking the authorization of the first.

#bugbounty #bugbountytip #bugbountytips

lof web apps that are built by AI, it have .md and mostly 🔥 so any app you test, JSP / PHP / ASP Add for fuzzing the extensions ffuf -w /wordlist -u .com/FUZZ -e .md,.db,.txt,.xml,.sql,.7z,.zip,.tar.gz,.env it will take some time, but it will be back with very good results♥

Found an IDOR vulnerability but the IDs are UUIDs? Don't drop the report yet. 1️⃣ Find leaked UUIDs - Use a tool like gau/waybackurl to dump URLs from that target, see if any valid UUIDs are leaked in the URLs and try them (be careful with write/delete operations ⚠️) - Search more sources, like GitHub, Postman public workspaces, GitLab snippets, Pastebin etc for leaked UUIDs 2️⃣ Find an UUID oracle - Search for your UUID in proxy responses, look around the app functionality to see if the UUIDs might be leaked in some other way, things like search, autocomplete, user lookup, mentions... - Investigate collaboration features like "share" or "invite". These features may reveal the other user's UUID. - Check old API versions (/api/v1/*, /api/1.1/*) If these don't work, keep digging, think weird.

@Surendar__05 Linux

As a developer, which one do you prefer? Windows or Macbook

@karankendre 😁Noo

Cybersecurity experts right now

@T3chFalcon and AI

IT people listening to Non-IT people talk about computers.

SECURITY ADVISORY — TanStack npm packages A supply-chain compromise affecting 42 @tanstack/* packages (84 versions total) was published to npm earlier today at approximately 19:20 and 19:26 UTC. Two malicious versions per package. Status: ACTIVE — packages are deprecated, npm security engaged, publish path being shut down. Severity: HIGH — payload exfiltrates AWS, GCP, Kubernetes, and Vault credentials, GitHub tokens, .npmrc contents, and SSH keys. If you installed any @tanstack/* package between 19:20 and 19:30 UTC today, treat the host as potentially compromised: • Rotate cloud, GitHub, and SSH credentials immediately • Audit cloud audit logs for the last several hours • Pin to a prior known-good version and reinstall from a clean lockfile Detection — the malicious manifest contains: "optionalDependencies": { "@tanstack/setup": "github:tanstack/router#79ac49ee..." } Any version with this entry is compromised. The payload is delivered via a git-resolved optionalDependency whose prepare script runs router_init.js (~2.3 MB, smuggled into each tarball at the package root). Unpublish is blocked by npm policy for most affected packages due to existing third-party dependents. All 84 versions are being deprecated with a SECURITY warning, and npm security has been engaged to pull tarballs at the registry level. Full technical breakdown, complete package and version list, and rolling status updates: github.com/TanStack/route… Credit to the security researcher for responsible disclosure.

@brandon_shi and after doing hard part, you get "duplicated":)

bruh doing bug bounty is hard

Claude Code skill for AI-assisted bug bounty hunting - recon, IDOR, XSS, SSRF, OAuth, GraphQL, LLM injection, and report generation github.com/shuvonsec/clau…

Bug write-up for "Google AI Studio XSS" ndevtk.github.io/writeups/2026/… (ﾉ*･ω･)ﾉ

@CodeEdison vanilla css:)

As a dev, what do you prefer for frontend?

@ravikiran_dev7 vscode forever

Be honest , As a developer, which code editor is worth in 2026?

I'm 32. I've been programming for 16 years. AMA

The AI existential crisis incoming

Divorcing Windows

@thestanduppod exactlyyy

This

the tldr