Account Takeover Using CSRF(json-based)

I was hunting on Bugcrowd private program. The program has 4 different kind of roles Like Admin, H-User, L-User, and Guest. First I log in with the admin account and

XSS on Google Acquisition

So when I was trying to verify some Google acquisition website I enter apigee.com which provides API management, so as always I start my burp suite and I try to

From P5 to P2, from nothing to 1000+$

So I’ve been hunting on this program for a week already and already reported all my findings so I was struggling to find any more bug.

Effortlessly finding Cross Site Script Inclusion (XSSI)

$150 XSS at Error Page of Respository Code