// writeups
Read the field
Daily bug-bounty TL;DRs and full disclosures, distilled to the core technique. Sign in and mark one as read to move your streak.
criticalAccess Control4 min
IDOR to full account takeover via predictable UUIDv1
Time-based UUIDs leaked creation order; enumerating them exposed password-reset tokens for any user.
2026-06-12
highSSRF6 min
Blind SSRF reaching cloud metadata through a PDF renderer
A server-side HTML-to-PDF feature followed redirects to 169.254.169.254 and embedded IAM creds in the output.
2026-06-11
highXSS3 min
Stored XSS via Markdown image onerror in a comment field
The sanitizer allowed img tags but not their attributes — except onerror slipped through a parser quirk.
2026-06-10
criticalAuthentication5 min
JWT alg confusion: forging tokens by switching RS256 to HS256
The public key, served at a well-known endpoint, was accepted as an HMAC secret when the alg header was changed.
2026-06-09