Gotator is a tool to generate DNS wordlists through permutations. - Josue87/gotator

Summary: I discovered a Cross-site Scripting (XSS) vulnerability in one of the acquisition sites of apple which is Filemaker.com

On January 26, @augustozanellato reported that while reviewing a public MacOS app, they found a valid GitHub Access Token belonging to a Shopify employee. This token had read and write access to...

It was found that the Shibboleth authentication module of Moodle suffers from a beautiful Remote Code Execution vulnerability from the unauthenticated perspective. This is widely used among universities to allow students from one university to authenticate…

As a part of our new VRP platform launch (bughunters.google.com) we are excited to announce that we will now have Bug Hunters swag available for special occassions. Stay tuned for more information on what those are & how you can get your hands on some....

DEPRECATED, please use the new repository from OWASP: https://github.com/OWASP/raider - GitHub - DigeeX/raider: DEPRECATED, please use the new repository from OWASP: https://github.com/OWASP/raider

In the name of Almighty, Allah, i begin. This write up is about how I found my first IDOR in HackerOne and got my first swag.

Learning machine authentication, finding a needle and gaining access to the Google Cloud project of Google Stadia.

Hello everyone, I hope you are well. In this article I will show you how I escalated XSS to Account Takeover. Since the target is private…

The issue is Insecure Direct Object with impact malicious user can expose or determine member on closed group. But the issue have limits…

'A while back, SecurityTrails announced that they would be running a contest dubbed 'Recon Master'. The aim of the game is to find hostnames that resolve to an IPv4 address that are not already found by SecurityTrails'

This finding was an another private bug bounty program. The scope of the target was a ticketing android app (Prod). This app was a major…

Talking of a bug I found a long time back which led to the bypassing of CSP in an electron app :)

Automation helps get easy $$$ rXSS

Mutations are `edit` or `create` queries used in Graphql. Gitlab prevents CSRF in this functionality by sending a POST request with a X-CSRF-Token header. The bug I found here was that, when we...

First to understand postMessage xss attack you need to understand this two things :

New web targets for the discerning hacker

Approaching a target from all angles

What is SAML? Security Assertion Markup Language (SAML) is an open standard for exchanging authentication and authorization data between parties.
Source: Wikipedia
SAML is often used for single-sign on (“Sign in with Google”, “Sign in with Twitter” etc.).…

Unpack the source code of React and other Webpacked Javascript apps!