json-parameter-manipulation

2 articles
sort: new top best
clear filter
bug-bounty451 google354 xss338 microsoft283 facebook246 apple171 exploit163 rce160 malware102 account-takeover95 cve91 bragging-post86 csrf83 browser77 writeup75 privilege-escalation68 react60 authentication-bypass57 cloudflare54 dos53 node52 docker51 ssrf51 phishing50 aws48 access-control47 oauth45 smart-contract45 supply-chain44 ethereum43 defi42 web342 sql-injection41 lfi37 idor35 vulnerability-disclosure32 smart-contract-vulnerability32 clickjacking31 burp-suite31 info-disclosure31 race-condition31 web-application31 reverse-engineering31 wordpress30 input-validation30 web-security29 information-disclosure29 cloud29 reflected-xss29 solidity27
0 4/10
Two Factor Authentication Bypass $5
bug-bounty

Researcher bypassed two-factor authentication by removing the VerificationDetails JSON parameter from a settings API endpoint, allowing 2FA to be toggled on/off without providing a valid OTP code. The vulnerability exploited insufficient server-side validation of required fields.

two-factor-authentication-bypass json-parameter-manipulation authentication-bypass api-security input-validation bragging-post
Aung Pyae Ko Ko
aungpyaekoko.medium.com · kh4sh3i/bug-bounty-writeups · 19 hours ago · details
0 5/10
Full account takeover worth $1000 Think out of the box
bug-bounty

Researcher discovered full account takeover vulnerability by chaining a missing CSRF token validation on the password change endpoint with a hidden 'uid' parameter discovered via Param Miner, allowing password changes for any user without authentication, resulting in a $1000 bounty.

account-takeover csrf parameter-discovery password-change hidden-parameters json-parameter-manipulation bragging-post
Mohsin Khan Param Miner Burp Suite James Kettle
mokhansec.medium.com · kh4sh3i/bug-bounty-writeups · 19 hours ago · details