vulnX

@LoganOpSec exactly

@vuln_X This is exactly why IDOR testing shouldn’t stop at user_id=123. Test nested objects, arrays, duplicated keys, JSON type changes, and places where auth checks one value but the backend logic later trusts another. That mismatch is where the real bugs show up.

Bug Bounty tip 🧵 Don't just swap IDs — wrap them. ❌ {"Account": 1111} ✅ {"Account": {"Account": 3333}} Auth validates the outer key. Business logic executes the inner one. Scanners miss it. You won't. #BugBounty #IDOR #APIHacking

@krishnsec @Bugcrowd Congrats brother!

Crossed 14K reputation on @Bugcrowd✅

@OreoB1scuit @Magn4_ top notch detailed video

A guide on how to use the most Underrated HACKING TOOL by @Magn4_ video: youtube.com/watch?v=bVL_m0…

@ZackKorman @rez0__ Frustration with vendors is real—but dropping sensitive details publicly only harms users. That’s not accountability, that’s recklessness. Calling it out like @rez0__ did is absolutely valid.

Security people: This behavior is completely unacceptable. I don't care that you sent a few emails and got ignored. You don't get to drop this info publicly and put these users at greater risk. He's been called out by multiple people (@rez0__) and is doubling down. Not cool.

@weezerOSINT 👀

this man called me blackhat on his timeline to 71k people. in the dms he told me he's "not claiming i released some secret technique" so which is it? he had the platform to help get this fixed. contact the company, escalate the report, connect me with the right people. instead he chose to start a public fight over disclosure timelines and guess what? the company rotated the key. 25 days of private emails got nothing. one public tweet got it fixed. Joseph Thacker you know what you was doing when you made this post, you are a grown man instigating tl wars isn't there anything else you could be doing with your time right now?

@ArmanSameer95 agree

🧵 Absolutely not worried about any Anthropic update at all, here’s why. There’s a pattern with Anthropic releases: • Users report drops in reasoning + benchmark performance • Outputs get shorter / lower-effort by default • Behavior shifts due to hidden changes (system prompts, caching, etc.) Then the explanation is always the same: “Not a downgrade — just settings, cost/latency tradeoffs, or prompting.” But from a user POV, if each update requires more effort to get the same quality, that is degradation. The real issue isn’t just the model — it’s the growing gap between advertised capability and default experience.

→ POST /register → arbitrary redirect_uri accepted? → state param → does it encode redirect_uri? decode it. → send captured SaaS-layer URL to different browser → does it work? → MCP token → JWT? decode for raw credentials. → consent cookie → __Host- prefix missing?

4/5) State-session binding? Bypassable. Cookie is anonymous — anyone generates one. No __Host- = injectable via subdomain XSS. SameSite=Lax doesn't block top-level navigation. Inject your cookie → state validates → code is yours.

🧵 How I'd 1-Click Takeover Any MCP OAuth Proxy — And Why PKCE Is Irrelevant👇

#BREAKING: Anthropic’s AI coding agent ‘Claude’ reportedly wiped a company’s production database and backups in 9 seconds.

@Zigoo0 @DarkEntryAms data breaches everywhere

#Udemy data breach confirmed. After refusing to pay the ransom, hackers released data of 1.4M users, including personal and financial details. We @DarkEntryAms launched a lookup tool so you can check if you’re affected: darkentry.net/latest-breache… #DataBreach #Ransomware

If an app fetched PDFs via ?url=http://internal.corp/file.pdf — classic SSRF setup. Bypass? Enumerate internal PDF subdomains. Swap the file ID → other users' docs. SSRF + IDOR chained. 🔥 #bugbounty #SSRF

@hAPI_hacker @malik_cybersec @akintunero @commando_skiipz @ce3nerd @KoredeSec @dolevfarhi @Nick_Aleks I have read it, and it is a masterpiece.

@malik_cybersec @akintunero @commando_skiipz @ce3nerd @KoredeSec I’ve only got one chapter on GraphQL, but @dolevfarhi and @Nick_Aleks have a whole book on it: nostarch.com/black-hat-grap…

Day 26/#30DaysofAPIsecU Continue learning GraphQL by reading this book by @hAPI_hacker building my skills around API hacking @akintunero @commando_skiipz @ce3nerd @KoredeSec

@_jensec 👌

One way to deal with AI spam reports would be to make program private with limited researchers and keep VDP only public. I know a couple of program managers are already considering this

A hostname that returns NXDOMAIN publicly isn't necessarily dead. Internal DNS resolvers may still serve it perfectly. internal-api.corp → NXDOMAIN externally internal-api.corp via SSRF → valid HTTP response 💀 Never skip non-resolvable hostnames in your SSRF payload list.

Always grab the Swagger/OpenAPI spec first. /swagger/v1/swagger.json Some with no auth. That's not documentation — that's a treasure map. curl -s "target.com/swagger/v1/swa…" | wc -c Know your surface before you test it. 🗺️ #BugBounty #recon