Detailed technical writeups of vulnerabilities discovered during security research and bug bounty hunting.
Discovered blind SQL injection hidden in a filename through file upload, leveraged via second-order logic to escalate privileges to superadmin. Combined creativity, SQL trickery, and business logic abuse to achieve full compromise.
A forgotten developer header left active in production allowed global authentication bypass. Simply adding 'checkuserlogin: yes' to any request granted full SuperAdmin privileges and unrestricted PII access.
Credential leakage via a Base64 response and an unscoped admin token allowed OTP bypass, enumeration of numeric application IDs, and exfiltration of full loan/PII records. High impact with low effort required.
A single leaked Base64 credential chain led to full data exfiltration of loan records via misconfigured APIs and missing auth checks.
An OAuth misconfiguration allowed arbitrary identity linking and privilege escalation via unvalidated account association, enabling student-to-instructor takeovers.
Exploited a predictable remote registration endpoint with no rate limits or identity binding to stack free premium subscriptions — a business logic flaw with direct monetary impact.
A query parameter tweak (`searchMode=PROMODE`) unlocked full premium search functionality with no auth or role checks, revealing a classic backend authorization gap.