PinnedPublished inInfoSec Write-upsBusiness logic: I can order anything from your account without paying for itIn this writeup, I will share my first finding of an application logic flaw, which I found in an e-commerce platform provider like shopify.Dec 25, 2024A response icon2Dec 25, 2024A response icon2
Published inInfoSec Write-upsBusiness Logic Flaws: A Bug Hunter’s HandbookBusiness logic flaws, also known as application logic flaws, occur when an application’s legitimate functionality is misused in ways the…Jun 7A response icon1Jun 7A response icon1
Published inInfoSec Write-upsEasiest Bug: Improper Token invalidation.I wasn’t hunting for anything fancy that day. Just poking around, checking how the password reset flow works on the target web app. The…Jun 2A response icon3Jun 2A response icon3
Published inOSINT TeamOSINT Writeups — MIST Cyber Drill 2025Hi, I’m Gr3yG05T from team 4GUN7UK. Yea, 4GUN7UK, you are going to hear this name more often as I’m going to cover more CTF stories from…May 12A response icon2May 12A response icon2
Published inInfoSec Write-upsHow I was able to delete a production backend server in my first finding.Hello folks, in this article I will tell you about my journey of finding a CSRF and using that to delete a backend php server in my first…Dec 30, 2024A response icon1Dec 30, 2024A response icon1
Published inInfoSec Write-upsBug Chain: pre-auth takeover to permanent access.Grey here! In this blog, I’ll share how I escalated a normal pre-authentication account takeover into a permanent access backdoor. Let’s…Dec 27, 2024Dec 27, 2024
Published inInfoSec Write-upsLogic Flaw: Using Invitation Function to Block Other AccountsIn this blog, I'm gonna tell you a story, a story about an application logic flaw that let me block new enrollments of the target…Dec 27, 2024A response icon1Dec 27, 2024A response icon1
