Summary IDOR stands for Insecure Direct Object Reference which is a vulnerability that falls under the broken access control category. In brief, this vulnerability arises when an application uses user-supplied input to access an object directly. …

Summary API misconfiguration refers to the improper or insecure setup of an application programming interface (API). This can include issues such as weak authentication, lack of input validation, or improper access controls. API misconfigurations can provide an attacker with unauthorized access to sensitive data or the ability to perform actions…

Summary : Account Takeover (ATO) is an attack using which an attacker cat take ownership of another person’s account. There are multiple ways for an account takeover attack, namely brute forcing credentials, credentials stuffing, response manipulation, password reset poisoning, social engineering and phishing, 2FA bypass attacks etc. Description : I…

Summary : Shodan is a search engine for Internet-connected devices. It is different from search engines like Google and Bing because Google and Bing are great for finding websites but Shodan helps in finding different things like popular versions of Microsoft IIS, control servers for Malware, how many host are…

Summary : HTTP Parameter Pollution (HPP) means to pollute the HTTP parameters of a web application for achieving a specific malicious task. It refers to manipulating how a website treats parameters it receives during HTTP requests. It changes a website’s behaviour from its intended one. …

Summary : In simple words Social Engineering is a manipulation technique that exploits human error to gain private information, access or valuables. Description : I found a simple social engineering vulnerability on YesWeHack few months ago where I was able to know the report update status of any user by…

Summary : Business logic errors will allow you to manipulate the business logic of an application. Sometimes business logic errors can have devastating effects on the applications. Business logic errors are difficult to find because they involve legitimate use of the application’s functionality. …

Summary : In brief, stored (persistent) cross-site scripting (XSS) happens when an attacker injects malicious code into the target application and this content is permanently stored. Later, when victims visit a page with the stored malicious code, their browsers execute this code. Description : Me and my friend ethicalbughunter were…

Summary : HTTP Parameter Pollution (HPP) means to pollute the HTTP parameters of a web application for achieving a specific malicious task. It refers to manipulating how a website treats parameters it receives during HTTP requests. It changes a website’s behaviour from its intended one. …