A bug bounty hunter documents their journey discovering a time-based blind SQL injection vulnerability in a sorting parameter by using MySQL version detection via comment syntax to narrow payload scope, ultimately bypassing WAF filters with the payload (select*from(select(sleep(10)))a) and earning a $3500 bounty.
Technical writeup on exploiting SQL injection in INSERT/UPDATE queries when commas are forbidden by application logic, using CASE WHEN statements with LIKE operators and CAST functions to perform time-based blind SQL injection without comma delimiters. Includes working payload and automated Python exploit script.
First valid reflected XSS vulnerability found via HTML comment injection by discovering that user-supplied URL paths were reflected in commented-out strings in page source, allowing script tag injection through comment closure payloads.
XSS vulnerability in a conference application (likely Zoom or similar) that chains to RCE via Node.js process execution in the native OS X client. The exploit uses String.fromCharCode to bypass quote filtering and jQuery's $.getScript() to fetch and execute remote code that spawns arbitrary processes.
A bug bounty hunter demonstrates chaining self-XSS to blind XSS in an admin panel via HTML entity encoding bypass, then discovers a reflected XSS on an undiscovered subdomain using KNOXSS payload analysis, earning $700 total. The writeup focuses on practical payload techniques and methodology rather than detailed technical analysis.