bugcrowd

Let’s check your database knowledge. query = "SELECT * FROM users WHERE id = " + userId Replace string concatenation with ________ to prevent SQLi A) query = f"SELECT * FROM users WHERE id = {userId}" B) query = "SELECT * FROM users WHERE id = " + escape(userId) C) cursor.execute("SELECT * FROM users WHERE id = %s", (userId,)) D) query = "SELECT * FROM users WHERE id = " + str(int(userId)) Bonus: Why are the others still injectable?

📢 April 16 at 11am ET: bugcrowd.com/webinar/?commi…{{lead.Id}}&utm_source=x&utm_medium=organic_social Join Bugcrowd, CISA VDP, and public sector security leaders for a Q&A on the impact of FedRAMP Moderate authorization. Hear from Kent Wilson, Trey Ford, and Shondalyn Smith on what this means for vulnerability disclosure, operational rigor, and proactive security across government and beyond. 🎙️🔥

The average cost of a breach for financial institutions is $6 million 💸 Crowdsourced security helps financial services organizations bring in specialized expertise on demand, extend internal teams, and support compliance efforts through solutions like bug bounty, penetration testing, and vulnerability disclosure programs. ☝️ In fact, 96% of ethical hackers agree these programs help fill cybersecurity skills gaps. We’re letting you in on a few secrets in this blog: bugcrowd.com/blog/5-tips-to…

The security world spent a decade obsessed with finding bugs faster. We succeeded, but now we have a massive bottleneck at the finish line. 🏁 AI finds vulnerabilities in seconds, but a human still has to ship the patch. When a maintainer is buried under 40 reports on a Friday, speed of discovery feels like noise. As Bugcrowd's Trey Ford notes, we optimized the wrong end of the pipe. It is time to value the fix as much as the find. 💯 Read the full analysis: darkreading.com/application-se…

Save this for later🔖 What's your take?👇

👉Test for mass assignment: - Add unexpected fields in requests - Modify existing parameters - Observe changes in behavior For example, you could add the following field when updating your user profile: {   "isAdmin": true }

Broken Object Property Level Authorization (BOPLA) occurs when APIs fail to properly restrict access to specific properties within an object. Think of it as IDOR, but targeted at individual properties rather than the entire object. 👇🧵

When VulnCon winds down, come hang with us! 🤙 We’re bringing the Bugcrowd community to The Canal Club for patio vibes, drinks, bites, and conversations that just might be the highlight of your trip. We’ll see you tomorrow, April 14, at 6:30pm! 🔗 Register here: luma.com/u3ceyli8

Check out this blog to learn how we fixed this👇  bugcrowd.com/blog/bugcrowd-…

AI agents are increasingly being used by some users to create a huge volume of low-quality, unverified submissions. We call this “sloptimism,” overly optimistic submissions driving large volumes of speculative or AI-generated reports.

Sure, you 𝙘𝙤𝙪𝙡𝙙 read the whole 50-page Inside the Mind of a Hacker report. But if hearing the top insights live from Bugcrowd CEO Dave Gerry, while also getting networking and drinks, sounds better... this is your sign 😎 Join us at the GeoCyclone event in London on April 23: luma.com/qmh8uc6e

Offensive testing is the theme Hackers search for bugs upstream A preemptive approach The attacker’s reproach Extends the reach of your security team. 🎤 🫳 🥵 And on that note, happy Friday! If you're into poems, we have plenty: bugcrowd.com/blog/10-cybers…

Conclusion: Authorisation must always be enforced server-side per object. Obscurity like UUIDs or frontend controls aren't enough.

Even if IDs are non-sequentials (UUIDs), BOLA can still exist. Attackers often extract ID from: - API responses - Logs - Public Endpoints and reuse them across endpoints

Broken Object Level Authorization (BOLA) is one of the most critical API vulnerabilities, and it consistently ranks at the top of OWASP API risks. Occurs when API fails to verify whether a user has permission to access a specific object.