bug-bounty480
google298
xss277
microsoft249
facebook211
rce159
apple150
exploit136
bragging-post102
account-takeover98
malware94
csrf84
cve79
privilege-escalation74
authentication-bypass65
stored-xss65
writeup61
reflected-xss57
browser54
react53
ssrf51
phishing50
dos50
cloudflare49
input-validation49
access-control49
cross-site-scripting48
node46
aws46
sql-injection45
docker45
smart-contract45
ethereum44
defi43
web-security43
web-application42
supply-chain42
oauth41
web339
burp-suite36
vulnerability-disclosure34
lfi34
idor34
html-injection33
race-condition32
smart-contract-vulnerability32
reverse-engineering31
clickjacking31
information-disclosure30
csp-bypass30
0
7/10
Researcher demonstrates chaining missing rate limits with Math.random() predictability via race conditions to bypass 2FA OTP validation in a Node.js-based React-Native mobile application, combined with SQL injection in the OTP endpoint affecting multiple authentication flows.
math-random
pseudo-random
race-condition
2fa-bypass
otp-prediction
rate-limit
sql-injection
javascript
nodejs
react-native
asynchronous
turbo-intruder
burp-suite
mobile-security
concurrency-vulnerability
Yasser Mohammed
HackerOne
React-Native
Math.random()
Turbo Intruder
Burp Suite
OWASP