bug-bounty372
xss318
google246
microsoft211
facebook194
apple138
exploit117
rce101
csrf78
malware77
account-takeover61
writeup59
bragging-post57
browser56
authentication-bypass55
cve54
access-control49
defi48
smart-contract47
privilege-escalation45
ethereum44
open-source42
ssrf40
sql-injection39
web338
dos37
ai-agents35
phishing35
docker35
aws34
supply-chain33
smart-contract-vulnerability33
cloudflare32
idor31
react30
denial-of-service28
information-disclosure27
api-security27
sqli27
oauth26
node26
clickjacking25
solidity25
burp-suite25
wordpress23
race-condition23
reverse-engineering23
remote-code-execution22
vulnerability-disclosure22
lfi22
0
3/10
bug-bounty
A researcher discovered a two-factor authentication bypass in a private program by removing the VerificationDetails object from a JSON API request, allowing toggling of 2FA without OTP validation. The vulnerability was awarded $50.
two-factor-authentication-bypass
authentication-bypass
json-manipulation
api-security
parameter-removal
bragging-post
Aung Pyae Ko Ko
0
5/10
Researcher discovered a full account takeover vulnerability by chaining multiple weaknesses: a password change endpoint that accepted null CSRF tokens and lacked proper validation, combined with a hidden 'uid' parameter discoverable via Param Miner that allowed changing arbitrary users' passwords without authentication. The vulnerability earned a $1000 bounty.
account-takeover
csrf
parameter-discovery
password-reset
api-enumeration
bragging-post
burp-suite
json-manipulation
Mohsin Khan
Param Miner
James Kettle
PortSwigger
Burp Suite