A simple API test turned into a full dashboard failure in under few minutes. No exploits, no hacks , just a missing limit.

Three vulnerabilities, one target. From injecting malicious configs into Swagger UI to hijacking an abandoned subdomain and bypassing API auth with a single header — here's how I found them and why they matter.

Complete bug bounty guide for 2026: platforms that pay, real-world vulnerabilities, and the hacker mindset. Learn how to find critical bugs and get paid legally.

Comprehensive guide to GraphQL API hacking in Web2 applications. Learn endpoint discovery, query vulnerabilities, and essential testing tools for bug bounty hunting.

Changing one number in a URL shouldn't give you someone else's account—but it often does. Insecure Direct Object Reference (IDOR) remains one of the most critical yet overlooked web vulnerabilities, frequently leading to full account takeover with minimal effort.

A case study on how weak email validation and authentication flaws can lead to unexpected vulnerabilities in online platforms.

During testing, I discovered that the test environment's Swagger UI at https://[test-api-domain]/swagger/index.html is fully accessible to anyone on the internet without any authentication. This endpoint returns a complete OpenAPI/Swagger specification containing all API endpoints, request/response schemas, data models, and internal architecture details.

I found a bug that turns money into smoke. One line. No validation. Just subtraction. On some chains, every transfer would have vanished. Auditors missed it. I didn't. Here's how a i got my first Critical bounty.

A single missing validation check in the setTokenPrice(), function can permanently brick an entire TokenSwap contract. Once exploited, every single user fund becomes trapped forever. No recovery. No fix.