An IDOR vulnerability in Facebook Events allowed attackers to add any user—including non-friends and blocked contacts—as co-hosts to personal events by tampering with the co_hosts parameter in the event creation request. The vulnerability was patched by Facebook and rewarded $750 through their bug bounty program.
A bug bounty hunter documents two SQL injection vulnerabilities discovered in a private program, both protected by WAF (Web Application Firewall) that blocks requests randomly. The author develops Python scripts that exploit timing and retry logic to overcome WAF blocking mechanisms—one using repeated requests when WAF returns maintenance errors, and another using multiple retries to differentiate between WAF-generated and server-generated error responses.