infosecwriteups.com
Resources curated from this publisher and indexed across appsec.fyi topic pages. Last item added: 2026-04-19.
SSRF 18
Bug Bounty 13
GraphQL 5
Recon 5
XSS 5
Burp 3
API Sec 2
AuthN 2
IDOR 2
RCE 2
AuthZ 1
Mobile 1
Secrets 1
SQLi 1
SSTI 1
XXE 1
| Date Added | Resource | Excerpt |
|---|---|---|
| 2026-04-19 2026 | The Art of Breaking OAuth: Real-World Exploits and MisusesAuthN | The Art of Breaking OAuth: Real-World Exploits and Misuses |
| 2026-04-19 2026 | Broken Access Control: The Quiet Killer in Web ApplicationsAuthZ | Broken Access Control: The Quiet Killer in Web Applications |
| 2026-04-16 2026 | Deep Dive into SSTI: Finding and Exploiting Like a ProSSTI | Deep Dive into SSTI: Finding and Exploiting Like a Pro |
| 2026-04-16 2026 | Abusing GraphQL Introspection: A Gateway for Recon and ExploitationGraphQL | Abusing GraphQL Introspection: A Gateway for Recon and Exploitation |
| 2026-04-11 2026 | What is BOLA? 3-digit bounty from TopcoderAPI Sec | What is BOLA? 3-digit bounty from Topcoder |
| 2026-04-10 2026 | From SSRF to RCE: A 7-Step Chain Against PostHogSSRF | From SSRF to RCE: A 7-Step Chain Against PostHog |
| 2026-04-10 2026 | GraphQL Security Flaws and ExploitationGraphQL | GraphQL Security Flaws and Exploitation |
| 2026-04-10 2026 | From Recon to RCE: Hunting React2Shell (CVE-2025-55182)RCE | From Recon to RCE: Hunting React2Shell (CVE-2025-55182) |
| 2026-04-10 2026 | Mastering Blind XSS: Real-World Techniques for High BountiesXSS | Mastering Blind XSS: Real-World Techniques for High Bounties |
| 2026-04-06 2026 | GraphQL Security: How I Found and Exploited Critical IDOR and Authorization BypassGraphQLIDOR | GraphQL Security: How I Found and Exploited Critical IDOR and Authorization Bypass |
| 2026-04-06 2026 | The Complete Beginner's Guide to Bug Bounty ReconnaissanceRecon | The Complete Beginner's Guide to Bug Bounty Reconnaissance |
| 2026-04-06 2026 | How Bug Bounty Hunters Are Using Claude CodeBug Bounty | How Bug Bounty Hunters Are Using Claude Code |
| 2026-04-06 2026 | Bug Bounty Bootcamp #29: Boolean Blind SQL Injection Part 2SQLi | Bug Bounty Bootcamp #29: Boolean Blind SQL Injection Part 2 |
| 2026-04-03 2026 | Comprehensive Bug Bounty Hunting Methodology (2024 Edition)Bug Bounty | Comprehensive Bug Bounty Hunting Methodology (2024 Edition) |
| 2026-04-03 2026 | Hail Frida!! The Universal SSL Pinning Bypass for AndroidMobile | Hail Frida!! The Universal SSL Pinning Bypass for Android |
| 2026-03-02 2026 | Breaking the Trust Boundary: SSRF via a Misconfigured Sentry TunnelSecretsSSRF | Free Article Link: Click for free! |
| 2026-01-29 2026 | How I Made Burp Suite My IDOR-Finding Robot Butler (And Found 20+ Bugs) 🤖🔍Bug BountyBurpIDOR | The content titled "How I Made Burp Suite My IDOR-Finding Robot Butler (And Found 20+ Bugs)" likely discusses utilizing the Burp Suite tool to automate the discovery of Insecure Direct Object Reference (IDOR) vulnerabilities, leading to the identification of over 20 bugs. The author shares their experience and strategies for leveraging Burp Suite effectively in bug hunting. The content may provide insights into the process of using automation tools for security testing and the successful outcomes achieved through this approach. |
| 2026-01-22 2026 | Recon to Master: The Complete Bug Bounty ChecklistBug BountyRecon | “” is published by 𝙇𝙤𝙨𝙩𝙨𝙚𝙘 in InfoSec Write-ups. |
| 2026-01-22 2026 | My 5-Minute Workflow to Find Bugs on Any WebsiteBug BountyRecon | My 5-Minute Workflow to Find Bugs on Any Website A step-by-step guide to my most effective, shortcut methods for bug bounty hunting. Introduction Hi everyone, welcome back! Today, I’m going to show … |
| 2025-08-14 2025 | HTTP-HOST HEADER ATTACKS. Hi! My name is Hashar Mujahid and today… | by HasBug Bounty | The content discusses HTTP-Host header attacks and is authored by Hashar Mujahid. It seems to provide information or insights related to this type of cyber attack. |
| 2025-08-14 2025 | How to discover up to 10,000 subdomains with your own tool | by _Y000_ | InBug Bounty | The content discusses a method to uncover up to 10,000 subdomains using a self-created tool by _Y000_. It likely provides insights or instructions on how to utilize this tool effectively for discovering subdomains efficiently. The focus is on empowering individuals to explore a large number of subdomains using a personalized tool. |
| 2025-08-14 2025 | Mastering the Realm of GraphQL ExploitationGraphQL | The content is titled "Mastering the Realm of GraphQL Exploitation" and appears to focus on the topic of exploiting GraphQL. It suggests a deep dive into understanding and potentially exploiting GraphQL, a query language for APIs. The title implies that the content may cover advanced techniques or strategies for manipulating GraphQL queries to gain unauthorized access or extract sensitive information. |
| 2025-08-14 2025 | How I Found Multiple XSS Vulnerabilities Using Unknown TechniquesXSS | The content discusses the discovery of multiple XSS vulnerabilities through the use of undisclosed techniques. It implies that the author has found a method to identify and exploit these vulnerabilities, potentially showcasing a unique approach to uncovering security flaws. The focus is on the process of discovering XSS vulnerabilities rather than detailing specific techniques or findings. |
| 2025-08-14 2025 | Mastering XSS: A Comprehensive Guide for Bug Bounty Hunters | by Security LXSS | The content titled "Mastering XSS: A Comprehensive Guide for Bug Bounty Hunters" by Security L provides detailed information and guidance on mastering Cross-Site Scripting (XSS) for individuals participating in bug bounty programs. It aims to help bug bounty hunters understand and effectively exploit XSS vulnerabilities to enhance their skills in identifying and reporting security issues. The guide likely covers various aspects of XSS attacks, techniques, prevention methods, and practical examples to equip readers with the knowledge needed to excel in finding and addressing XSS vulnerabilities in web applications. |
| 2025-08-14 2025 | https://infosecwriteups.com/bypassing-character-limit-xss-using-spanned-payload-7301ffac226eXSS | The content discusses a technique to bypass character limits in Cross-Site Scripting (XSS) attacks using a spanned payload. By breaking the payload into smaller parts and using HTML span tags, attackers can evade character restrictions imposed by input fields, allowing them to execute malicious scripts on vulnerable websites. This method enables the injection of longer payloads while avoiding detection, making it a valuable tool for attackers seeking to exploit XSS vulnerabilities. |
| 2025-08-14 2025 | Exploiting Non-Cloud SSRF for More Fun & Profit | by Basavaraj Banakar | InSSRF | The content appears to focus on exploiting Non-Cloud Server-Side Request Forgery (SSRF) for increased enjoyment and financial gain. It is likely a technical article or presentation by Basavaraj Banakar that delves into the methods and implications of leveraging SSRF vulnerabilities outside of cloud environments. The content may provide insights into how SSRF can be used for malicious purposes or for ethical hacking to uncover security weaknesses. It seems to aim at educating readers on the potential risks and rewards associated with exploiting SSRF vulnerabilities in non-cloud settings. |
| 2025-08-14 2025 | Breaking Down SSRF on PDF Generation: A Pentesting GuideSSRF | The content is titled "Breaking Down SSRF on PDF Generation: A Pentesting Guide." It likely discusses the topic of Server-Side Request Forgery (SSRF) in the context of PDF generation and provides a guide for penetration testing related to this issue. The focus is on understanding and potentially exploiting SSRF vulnerabilities in PDF generation processes for security testing purposes. |
| 2025-08-14 2025 | https://infosecwriteups.com/walkthrough-weather-app-hack-the-box-web-challenge-34b0c930dfcaSSRF | The content is a walkthrough of a web challenge called "Weather App" from the platform Hack The Box. It provides a step-by-step guide on how to solve the challenge, including identifying vulnerabilities, exploiting them, and gaining access to the target system. The walkthrough covers topics such as reconnaissance, enumeration, exploitation, and privilege escalation. It aims to help readers understand the process of hacking a web application and improving their cybersecurity skills. |
| 2025-08-14 2025 | https://infosecwriteups.com/multiple-http-redirects-to-bypass-ssrf-protections-45c894e5d41cSSRF | The content discusses a technique using multiple HTTP redirects to bypass Server-Side Request Forgery (SSRF) protections. By chaining together several HTTP redirects, an attacker can manipulate the server to access internal resources or perform unauthorized actions. This method can be used to exploit vulnerabilities in web applications that are susceptible to SSRF attacks. The article provides insights into how attackers can leverage this technique and offers recommendations for organizations to strengthen their defenses against SSRF vulnerabilities. |
| 2025-08-14 2025 | Beginner Guide To Exploit Server Side Request Forgery (SSRF) VulnerabilitySSRF | The content is a beginner's guide to exploiting Server Side Request Forgery (SSRF) vulnerability. It likely covers the basics of identifying and exploiting SSRF vulnerabilities, which involve manipulating a server to make unauthorized requests on behalf of the attacker. The guide may provide insights into how SSRF vulnerabilities can be leveraged for malicious purposes and the potential risks associated with such exploits. It serves as an introductory resource for individuals looking to understand and potentially exploit SSRF vulnerabilities. |
| 2025-04-11 2025 | Nmap for Beginners: Easy Tips to Scan Networks Like a ProRecon | So, Think this :::: one night when you are trying to sleep , suddenly you imagine what’s happening on your network .. what devices are connected? What services are they running? {JUST 2 AM THOUGHTS… |
| 2025-04-10 2025 | Best Browser Extensions for Bug Hunting and CybersecurityBug BountyBurp | If you are getting into bug hunting or cybersecurity the right tools can make a huge difference. Browser extensions help automate tasks, find hidden vulnerabilities and protect your privacy. Here is… |
| 2025-04-09 2025 | Controlling XSS Using A Secure WebSocket CLI - InfoSec Write-upsXSS | When experimenting with Cross-Site Scripting (XSS), what’s the quickest way to test multiple payloads efficiently? Not long ago, I set up an XSS server that serves remote payloads, which can easily… |
| 2025-01-30 2025 | Advanced DNS Attacks: Poisoning and ExploitationRecon | Understanding DNS Vulnerabilities and Practical Techniques for Exploitation and Defense |
| 2024-10-17 2024 | Let’s Understand SSRF vulnerabilitySSRF | The content provides an introduction to understanding SSRF (Server-Side Request Forgery) vulnerability. SSRF is a type of security vulnerability that allows an attacker to manipulate the server into making unauthorized requests on their behalf. This can lead to data breaches, unauthorized access, and other security risks. Understanding SSRF is crucial for developers and security professionals to prevent and mitigate such vulnerabilities in web applications. |
| 2024-10-17 2024 | 👩💻Roadmap to Cybersecurity in 2022, Full-Read SSRF, IDOR in GraphQL, GCP Pentesting, and much…GraphQLSSRF | The content discusses a talk focusing on cybersecurity in 2022, covering topics such as SSRF, IDOR in GraphQL, GCP Pentesting, and more. The talk highlights the significant value, over $25 billion, that is at risk due to practical attacks on bridges. It emphasizes the importance of understanding and addressing vulnerabilities in cybersecurity to protect valuable assets. |
| 2024-10-17 2024 | 👩💻 $600k Bounty, Jetty Features, Response Queue Poisoning, Bypass SSRF Protections, XSS…Bug BountySSRF | A $600K bounty was awarded due to a business logic flaw in smart contracts. |
| 2024-10-17 2024 | Exploiting: SSRF For Admin AccessSSRF | The content is about exploiting Server-Side Request Forgery (SSRF) vulnerabilities to gain admin access. SSRF allows attackers to make requests on behalf of the server, potentially accessing internal systems or performing unauthorized actions. By manipulating URLs, attackers can trick the server into fetching sensitive data or executing commands. This can lead to unauthorized access to admin interfaces, compromising the system's security. The article likely discusses the risks of SSRF vulnerabilities, the impact on system security, and potential mitigation strategies to prevent such attacks. |
| 2024-10-17 2024 | Server-Side Request Forgery — SSRF: Exploitation TechniqueSSRF | Server-side request forgery (SSRF) is a vulnerability where an attacker can manipulate a server to make unauthorized HTTP requests. This exploitation technique can lead to sensitive data exposure, unauthorized access, and potential server compromise. Preventing SSRF involves input validation, using whitelists, and restricting server access to prevent attackers from exploiting this vulnerability. |
| 2024-10-17 2024 | Story of a 2.5k Bounty — SSRF on Zimbra Led to Dump All Credentials in Clear TextBug BountySSRF | The content discusses a successful bug bounty story where the author and a friend earned approximately $2500 from Cafebazaar by exploiting a Server-Side Request Forgery (SSRF) vulnerability on Zimbra, leading to the exposure of all credentials in clear text. |
| 2024-10-17 2024 | My First Bug: Blind SSRF Through Profile Picture UploadBug BountySSRF | The content is a writeup detailing the discovery of the author's first bug, which involves a blind Server-Side Request Forgery (SSRF) vulnerability through profile picture upload. The author likely shares their experience, the steps taken to identify the bug, and the impact of the vulnerability. This bug could potentially allow an attacker to manipulate the server into making requests on their behalf, leading to unauthorized access or data leakage. The writeup may also include insights on responsible disclosure and the importance of thorough security testing in web applications. |
| 2024-10-17 2024 | Server Side Request Forgery — SSRFSSRF | Server Side Request Forgery (SSRF) is a web vulnerability that enables attackers to manipulate a server to make unauthorized requests. This issue can lead to data leaks, unauthorized access, and potential server exploitation. Preventing SSRF involves input validation, restricting access to sensitive resources, and using secure coding practices. It is crucial for developers and organizations to be aware of SSRF risks and implement robust security measures to mitigate this threat effectively. |
| 2024-10-17 2024 | Vimeo SSRF with code execution potential.RCESSRF | The content discusses the discovery of a semi-responded SSRF vulnerability on Vimeo that potentially allows for code execution. The author shares their process of finding and exploiting this vulnerability in a blog post. |
| 2024-10-17 2024 | Server Side Request Forgery (SSRF) TestingSSRF | The content discusses Server Side Request Forgery (SSRF) testing for fun rather than for a bounty. The author discovered a website vulnerable to SSRF but did not exploit it. The focus is on testing and identifying SSRF vulnerabilities in web applications. |
| 2024-09-21 2024 | XXE : From Zero to HeroXXE | Hello fellow hackers, I hope you all are doing good and learning something new :) . As i said in my RECON blog I will be writing about… |
| 2024-09-14 2024 | Unlocking OAuth SecurityAPI SecAuthN | In this blog, we will uncover the different oauth security implications on both the client applications and the oauth server. |
| 2021-06-05 2021 | Automating Burp Suite -4 | Understanding And Customising Custom Header FromBurp | The content discusses the creation of a Burp Extension using Jython to automate Burp Suite tasks. Specifically, it focuses on adding custom headers to requests. This is the fourth tutorial in the series, emphasizing understanding and customizing custom headers. The tutorial likely provides step-by-step instructions on how to implement this feature within Burp Suite for automated testing and customization purposes. |
| 2021-05-17 2021 | How to discover up to 10,000 subdomains with your own tool | by _Y000_ | InBug Bounty | The content discusses creating a tool using bash to discover up to 10,000 subdomains. The tool's development involves programming tasks in bash and breaking them down into parts for better understanding and implementation. |
| 2021-04-15 2021 | Story of a really cool SSRF bug.. Hello all! My name is Vedant, also… | bySSRF | Vedant, also known as Vegeta on Twitter, is a cybersecurity enthusiast and bug bounty hunter. He shares a story about discovering a significant Server-Side Request Forgery (SSRF) bug. This bug showcases his skills in identifying vulnerabilities and his passion for cybersecurity. |
| 2021-04-10 2021 | Intro to Bug Bounty Automation (pt.2): Port Scanning with Slack | InfoSec WBug Bounty | The content discusses using Slack as a communication channel for delegating tasks like port scanning, even though Slack itself cannot perform port scans. It highlights the importance of utilizing automation tools and platforms like Slack to streamline bug bounty processes and improve efficiency in cybersecurity tasks. |