Let’s talk about Improper Resource Shutdown

The program does not release or incorrectly releases a resource before it is made available for re-use.the function fails to release a lock it acquires, which might lead to deadlock.

Source Code Analysis and API Keys Exploitations

I was getting lots of requests and msg on Whatsapp, LinkedIn, Twitter about the source code analysis, and exploitation of API Keys. So I will share my approach and also some blogs and writeups which you can refer to get a clear understanding.

CloudSEK CTF Walkthrough (EWYL)

I am excited to share with you all (readers), how challenging and yet how amusing the CTF was. At certain point I was thinking that what am I doing wrong but as they say ‘No detail is too small.’ So here is my detailed CTF walkthrough of CloudSEK’s CTF EWYL Program.

Hacking the Medium partner program

Medium sent me something really exciting in the mail last week — a tax form, with my name on it, proving they'd paid me $1019 in 2017.

Sensitive data exposure with Nuclei: The new big gun with exploit bullets

Hey my hacker buddies! I hope you are enjoying the WFH(if you have)/ your bounty days! I am not hunting a lot since a good couple of months and that’s the reason I was not active on medium.

How I hacked redbus [An online bus-ticketing application]

[I drafted this writeup 2 years ago. As it took a long time for the patch, posting it now] . It was a usual fresh and sleepy monday morning . I reached my desk and checking mails.

How to spot and exploit postMessage vulnerablities?

Hey fam, i hope everyone is doing okay and able to use this time efficiently for self development and to self reflect. This corona virus pandemic has grown a bit tiring to be honest and gets the best of us.

A Short Story of IDOR To Account Takeover

I am Jeya Seelan a Security Researcher and a Bug Hunter. This Is My First Bug Bounty Writeup. We are Going to See A Short Story of IDOR and How Could I Have Taken Over Your Account Through It.

Unhiding the hidden

This blog aims to help developers understand how attackers can take advantage of security misconfigurations to gain unauthorized access to restricted functionalities.

Second Order SQL Injection - Something Is Hidden Inside

Everyone knows what is SQL Injection, but just to give you a brief about SQL Injection, it is a code injection technique that might destroy your database. It usually occurs when you ask user for input, like their username or userid, and instead of a name or id, the user gives you SQL statement that you will unknowingly run on your database.

Mining the web: Redefining the art of hardcoded data finds

Hi all, assuming you guys are learning new things and improving yourself. As we all are packed in our homes, it’s better to share some ideas to community.

A picture that steals your data — A tale to IP Theft.

A picture that steals your data — A tale to IP Theft.: Hey folks, in this blog I’m going to share how I found a bug that steals your data with the help of a picture. Let's jump into it.

Stealing your data using XSS

Turned on machine, started active + passive discovery of domains and all in-scope assets of . Used many tools like Sublist3r, Amass, findomain, subfinder, etc.

Accessing the website directly through its IP address, a case

You may have heard the expression: hiding in plain sight. And specifically in IT security there is another expression: security through obscurity. This article will be my experience with a bug where one could argue that it was the case of security through obscurity, but it could have been a coincidence. This will be a story of me stumbling onto sql injection (a simple login bypass which logged me into admin panel), but not in a usual way.

The Short tale of two bugs on Google Cloud Product

Here is my second write-up on my series of bugs found on Google Systems. If you haven’t checked my first write-up, check out below…

Upload to the future

A bit of an odd title, eh? Either way, this article will be about a very peculiar bug that I discovered somewhat recently, where it was possible to overwrite user’s/victim’s profile images.

From SQL Injection to Hall Of Fame

Google Dorking seems an often under-appreciated technique in a bug bounty hunter’s arsenal when assessing a target web application for…

Android Pentesting Lab

As a pentester developing new skills in different areas is very important as you might miss something crucial from one approach. Android pentesting is one of them, but it requires a dedicated environment and I will explain how to setup an easy one.

Leaking AWS Metadata

Found the AWS Cognito API call for the GetCredentialsForIdentity through the profile picture upload feature of the application which leaks the AWS credentials in the response.

A Country Hijacking

Hello All,As you may already know, I’m full-time bug bounty hunter and earlier this year I had signed a contract as an “Information Security Analyst” in one of the security services providers in our MENA region.