How I Got 3 Bugs No Automation, Just Logic

How I Got 3 Bugs No Automation, Just Logic 🧠 | by Mado - Freedium Milestone: 20GB Reached We’ve reached 20GB of stored data — thank you for helping us grow! Patreon Ko-fi Liberapay Close < Go to the original How I Got 3 Bugs No Automation, Just Logic 🧠 No Tools, Just Thinking: 3 Bugs I Found Manually Chaining Logic Flaws: Method Tampering, URL Bypass & Hidden Data Leaks Mado Follow ~4 min read · March 4, 2026 (Updated: March 4, 2026) · Free: Yes Hello Hackers I'm Mohamed, also known as Mado , a dedicated Web Application Penetration Tester and bug hunter NOTE: The Write Up is hunting and The Write up Focus on 2 Bugs ,information disclosure , Open Redirect Get Your Coffee and Lets go If You Liked The Write up Don't Forget 50 Clapped And Thank you First Bug (Information disclosure) Target Overview #1 My target is a program for documents. You can write anything in the documents and you can invite many people with different roles: Viewer = Can only see documents and chat Editor = Can change anything in documents only Manager = Can change anything in documents and any member with a lower role START My Technique For Exploit : I made the documents viewer available to everyone (public link). When I visit the link as a user outside the team, the attacker cannot see any information or anything here But when I open the team chat, I can see all messages from all users in the team. I will write a message, send it, and catch the request to understand how it works I changed the request method from POST to GET. The server Give me information in response about users in the team, even though I don't have permission to see all team members Email of victim Here, the server give me all the emails, Names of users in the team after changing the request from POST to GET Second Bug ( URL Bypass = Open Redirect ) Target Overview #2 Target for writing your daily tasks, with roles and the ability to invite people with different roles. After recon, I found the MCP server endpoint I saw The URL : APP_ICON=HTTPS://BLABLABLA.COM I changed the URL to evil.com, like: APP_ICON=HTTPS://EVIL.COM BUT IT DIDN'T WORK I tried to bypass: HTTPS://[email protected] => NOT WORK HTTPS://BLABLABLA.COM?Evil.com => NOT WORK HTTPS://BLABLABLA.COM/Evil.com => NOT WORK //evil.com => WORKING The last payload worked. Now anyone who clicks on MCP CU PROXY gets redirected to Evil.com. Now if you look at my mouse on the MCP Proxy , check the bottom left side the redirect link to evil.com The Third Bug ( Upload image = Open Redirect ) Target Overview #3 Target for writing your daily tasks, with roles and the ability to invite people with different roles When I tried the target as an attacker, I saw the team chat and noticed that anyone can upload images. I attempted XSS, but it didn't work. , I tried Open Redirect, but through image upload I am try Now, when anyone open the chat and see the image, if the victim click on it, they get redirected to evil.com The Results: And I want to say that a bug doesn't have to appear immediately if it doesn't work in one place, the same scenario might lead to another bug elsewhere If You Want To Reach Me All My Contact Info is Here : click_Here If You Want Read More Blogs Check The Link : 0xMado-Gitbook ……………Thank You For Reading and I hope This Was helpful……………… #bug-bounty #bug-bounty-tips #hacking #infosec #information-disclosure Reporting a Problem Sometimes we have problems displaying some Medium posts. If you have a problem that some images aren't loading - try using VPN. Probably you have problem with access to Medium CDN (or fucking Cloudflare's bot detection algorithms are blocking you).