No rate‑limit on OTP verification leads to 10k bounty
How I found and exploited a missing rate limit on an OTP verification endpoint that allowed mass account takeover by brute forcing one-time codes.
IDOR in Session cookie leading to Mass Account Takeover
How I found an IDOR in a session cookie that allowed mass account takeover.
SSRF to fetch AWS credentials with full access to multiple services
How I found an SSRF to fetch AWS credentials with full access to multiple services.
Bug Bounty Beginner’s Guide
My personal journey into bug bounty hunting and tips for beginners.
Finding and exploiting HTTP Request Smuggling
How to find HTTP Request Smuggling in the wild