bug-bounty413
xss277
google249
microsoft215
facebook191
apple139
rce124
malware101
bragging-post92
account-takeover88
exploit86
csrf73
cve70
authentication-bypass67
privilege-escalation60
access-control53
phishing48
defi48
dos47
smart-contract47
ethereum44
writeup44
open-source43
supply-chain42
ssrf42
cloudflare42
sql-injection41
browser40
web339
stored-xss39
aws37
web-security36
docker36
input-validation36
ai-agents35
api-security34
smart-contract-vulnerability33
reverse-engineering32
react32
information-disclosure31
idor31
burp-suite30
oauth29
denial-of-service29
cross-site-scripting29
node28
reflected-xss28
race-condition27
web-application27
clickjacking25
0
5/10
Researcher discovered a full account takeover vulnerability by chaining multiple weaknesses: a password change endpoint that accepted null CSRF tokens and lacked proper validation, combined with a hidden 'uid' parameter discoverable via Param Miner that allowed changing arbitrary users' passwords without authentication. The vulnerability earned a $1000 bounty.
account-takeover
csrf
parameter-discovery
password-reset
api-enumeration
bragging-post
burp-suite
json-manipulation
Mohsin Khan
Param Miner
James Kettle
PortSwigger
Burp Suite
0
6/10
research
Technical taxonomy of GraphQL attack classes including schema enumeration, batch query abuse, and resolver explosion attacks that are commonly missed by security tools.