If you’ve ever been on a website, you’ve probably come across OAuth at some point or another, even if you’ve never heard of it. Have you seen a “Sign in with Google” button? If so, you’ve come across OAuth! This article will discuss briefly what OAuth (specifically OAuth 2.0) is, and how it can be implemented incorrectly from a security perspective. Particularly, it will highlight many of the issues I’ve come across in implementations while bug bounty hunting.

“Quick” Primer

There are a couple different versions, as well as grant types to consider when we talk about OAuth. To read about these…


I mostly wanted to share this post not because it’s a novel and unique attack, but to show the thought process of attacking this particular functionality, and understanding how the system works to identify what would and would not work. This post is covering an SSRF (Server Side Request Forgery) bug that was really fun to discover and exploit. It took a lot of work to figure out and to finally exploit.

The endpoint was actually sent to me to poke at by another fellow bug hunter, Ibram (after realizing we were on the same program). It was our first…


Some of the most common questions out there in the industry are “what is your methodology?” or “how do you look for bugs”? This post will be an attempt to answer that from the point of view of an average and continuously learning bug hunter. This has certainly evolved over time, and will certainly continue to evolve. There are many great, existing resources on the subject, but this post will look to answer these questions in a bit of a different way. This will also hopefully be different in the sense that it’s not coming from someone who has been…


It’s no secret, bug bounty is not an easy field to jump into and be successful. The top hunters likely have years of experience in not only bug hunting, but technology & security in general. The reality is that targets that have bug bounty programs are naturally going be some of the most hardened targets out there because there is incentive for people to find bugs. For those of us relatively new, it’s easy to feel that there is no light at the end of the tunnel, and that our efforts are useless because the targets are too hardened. Since…


Critical Company Account Takeover CSRF

We’ve been spending some time on a new private program on HackerOne, focusing on an asset that allows businesses to have company accounts, and invite different users to their company. They handle some fairly sensitive personal information on behalf of their users. We found a couple medium severity bugs the first 2 days, noted some areas to come back to, and noticed some other areas that could be easily escalated and exploited when finding a XSS. …


After starting bug hunting a little over 2 months ago, here is our first bug writeup, enjoy!

We’ve been hunting on a private program on HackerOne for a couple weeks with a fair bit of success, but most findings have been medium-ish severity and nothing to write home about. One big thing we noticed is how devastating XSS vulns would be if targeted to admin users. This was because the invitation of new users, including admins, did not require any form of re-authentication/verification before doing so. We had already found quite a few stored XSS, but didn’t really attempt any…

A Bug’z Life

Our blog for all things security and technology related. Everything from our journey along InfoSec career path, bug bounty write-ups and more interesting stuff.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store