Immunefi's retrospective on Wormhole's critical uninitialized proxy vulnerability in their Ethereum bridge contract, which was responsibly disclosed by researcher satya0x and resulted in a record $10 million bug bounty. The article includes detailed technical explanation of proxy patterns, delegatecall mechanics, and how uninitialized proxies can lead to fund lockup.

Researcher discovered SSRF vulnerabilities in Slack's Slash Commands and Event Subscriptions by bypassing IPv6 blacklist protections using HTTP redirects with the [::] hostname notation, earning $1,000 in total bounties.

Researcher discovered RCE via exposed Rails secret token leaked through Rack's ShowExceptions error page enabled on production. By fuzzing the filename parameter with %0d to trigger an exception, they obtained the secret_token used to sign cookies, which they then exploited to achieve remote code execution across two in-scope assets.

A bug bounty writeup describing how LaTeX injection in a journal CMS's PDF conversion feature can be exploited to read arbitrary files and achieve remote command execution via crafted LaTeX payloads, escalated to database/Elasticsearch access through SSRF.

Researcher exploited an SSRF vulnerability on Adfly to gain access to the internal SMTP server via the Gopher protocol, enabling unauthorized email sending from the Adfly domain. The attack involved uploading a PHP redirect file to a third-party server that, when visited through Adfly's URL shortening feature, would execute a Gopher payload to interact with the local SMTP service.

A guide on detecting race conditions in web applications using Burp Suite's Intruder tool, with specific steps to configure concurrent request threads and demonstrating the vulnerability through real-world examples like balance transfer and gift card exploitation.

A practical writeup demonstrating how a race condition vulnerability was exploited to bypass console creation limits on a free-tier web application by sending parallel requests while simultaneously removing resources, allowing a free user to exceed the 2-console restriction.

A bug bounty writeup demonstrating how SSRF vulnerability in a JavaScript-exposed endpoint was exploited to read internal files via the file:// URI scheme, discovered by analyzing unminified JavaScript code for new endpoints.

A researcher demonstrates exploiting a race condition vulnerability in a bug bounty program to bypass team member creation limits (creating 4 members instead of the authorized 3) using Burp Suite's Intruder tool with simultaneous request execution.

A researcher exploited CORS misconfiguration combined with XSS on a subdomain to exfiltrate sensitive user data (email, age, gender, DOB) from a main domain endpoint. By crafting an XSS payload that sends a credentialed XMLHttpRequest to the misconfigured endpoint and exfiltrates the response, the attacker could steal protected user information.

Researcher bypassed WAF protections against Apache Struts CVE-2013-2251 by embedding OGNL RCE payloads within a legitimate redirect parameter, then escalated from remote code execution to root shell via SSH key manipulation and kernel CVE-2013-2094 exploitation.

SSRF vulnerability in a PDF generator where HTML filters on the web app were bypassed by inserting payloads via mobile app and using forward-slash character encoding in iframe tags to access internal resources like error logs (elmah.axd).

A researcher discovered an SSRF vulnerability in a private Hackerone program's screenshot API by bypassing file:// protocol filtering through path manipulation (using file:// with single slash instead of triple slash) to achieve local file disclosure, specifically reading /etc/passwd via the URL file://s/etc/passwd.

A DevOps engineer discovered unauthenticated RCE as root on publicly exposed Marathon container orchestration instances by leveraging the task scheduling API to execute arbitrary commands without authentication, discovered via Shodan reconnaissance.

A researcher discovered and exploited an SSRF vulnerability in DownNotifier's website monitoring service, using the 0.0.0.0 loopback address to bypass filters and enumerate local services (FTP, HTTP) via XSPA timing analysis.

A bug bounty hunter discovered RCE by bypassing file upload restrictions through MIME type manipulation in a GET request, which was reflected in subsequent PUT requests, ultimately allowing PHP file upload via php5/php7 extensions when direct PHP upload was blocked.

A race condition vulnerability in a team management feature allows bypassing the free tier's 5-user invitation limit by sending concurrent requests via Burp Intruder with high threading, enabling an attacker to invite 22+ users without upgrading to a paid plan.

A file upload bypass vulnerability on a crypto trading platform allowing RCE by manipulating Content-Type headers from image/png to text/html, leading to PHP shell execution and database credential extraction for account manipulation. The author demonstrates chaining file upload bypass with RCE and database access to achieve P1 severity.

An IDOR vulnerability in Facebook Analytics allows users with analyst roles to access private dashboard charts by manipulating the 'chartID' parameter in a GraphQL request, disclosing chart names and data that should only be visible to the dashboard owner.

A security researcher bypassed 2FA/OTP on an Indian travel service provider by brute-forcing a 4-digit OTP without rate limiting, using Burp Suite's intruder to test all 10,000 possible combinations and obtain a valid login token.

A researcher discovered a Local File Inclusion (LFI) vulnerability in Apache Drill by manipulating the dfs storage plugin configuration to read arbitrary files from the server, such as /etc/passwd, via crafted SQL queries.

A union-based SQL injection vulnerability was discovered in the University of Cambridge's Fitzwilliam Museum search application, allowing enumeration of database version, user credentials, and database name through manipulated query parameters.

An application-level denial-of-service vulnerability exploitable by sending excessively long strings (100,000+ characters) to input fields, causing CPU and memory exhaustion through vulnerable string hashing implementations. The technique can be applied to password fields, usernames, email addresses, and other text inputs across authentication and search functions.

A blind time-based SQL injection vulnerability was discovered in a file upload parameter where the application stored the filename directly in the database without proper sanitization. The vulnerability was exploited by injecting SQL sleep commands into the PDF filename and confirming exploitation through response time analysis after bypassing a Cloudflare WAF misconfiguration.

Researchers identified and documented a method to discover and exploit over 55,000 subdomain takeover vulnerabilities on Shopify by analyzing FDNS datasets for CNAMEs pointing to Shopify infrastructure, then claiming unclaimed shop names to hijack subdomains. They developed a script with improved false-positive detection using page error messages, CNAME verification, and REST API checks.

A subdomain takeover vulnerability in flock.co where newdev.flock.co was pointed to an unclaimed readme.io custom domain, allowing the attacker to register a readme.io project and claim the subdomain through misconfigured DNS CNAME records without ownership verification.

A subdomain takeover of ping.ubnt.com via unclaimed Amazon Cloudfront distribution, combined with shared session cookies across *.ubnt.com subdomains, allowed complete authentication bypass of Ubiquity's SSO system. The vulnerability was responsibly disclosed through HackerOne.

A walkthrough of exploiting a boolean-based SQL injection vulnerability via the User-Agent HTTP header to enumerate database version, table names, and columns, culminating in credential extraction from a MariaDB 10.1.21 instance.

A bug bounty hunter demonstrates a union-based SQL injection attack against a private company's web application, using order-by enumeration to identify 11 vulnerable columns, extracting database version, user, OS details, and dumping table schemas via information_schema queries with encoding bypasses.

Researcher demonstrates a subdomain takeover vulnerability on Starbucks by exploiting an unclaimed Azure Traffic Manager endpoint. The vulnerable subdomain had a CNAME pointing to a non-existent trafficmanager.net domain that could be registered without domain ownership verification, allowing complete control of the subdomain.