bug-bounty512
xss298
google224
rce189
microsoft181
facebook170
exploit154
malware126
account-takeover119
bragging-post117
cve110
apple107
privilege-escalation94
csrf89
authentication-bypass79
stored-xss75
phishing71
open-source68
writeup68
reflected-xss63
access-control62
web-security60
ai-agents59
browser56
ssrf55
input-validation52
dos52
reverse-engineering51
smart-contract48
defi48
cross-site-scripting48
supply-chain46
sql-injection46
ethereum45
cloudflare44
lfi41
information-disclosure40
oauth40
api-security39
race-condition38
web338
react38
web-application37
burp-suite36
ctf36
tool35
pentest35
smart-contract-vulnerability33
idor33
html-injection33
0
6/10
bug-bounty
A reflected XSS vulnerability was discovered in a private program where URL parameters prefixed with 'utm_' were reflected without encoding in a JavaScript context. The breakthrough came from fuzzing parameter names themselves rather than values—specifically injecting JavaScript payload directly into the parameter name (e.g., 'utm_foobarbaz\')<>') which bypassed encoding applied to parameter values.
xss
reflected-xss
parameter-injection
parameter-name-fuzzing
encoding-bypass
utm-parameter
javascript-context
Rahul Maini
0
6/10
bug-bounty
A researcher discovered a Self XSS vulnerability in a group creation dialog box that could be escalated to a stored XSS affecting other users by combining it with a CSRF attack against an unprotected group creation endpoint, allowing arbitrary XSS execution when a victim visited a malicious link.
xss
csrf
self-xss-to-stored
dialog-box-bypass
encoding-bypass
bug-bounty
web-security
vulnerability-chaining
Abhishek