Bug Hunting Journal
Documentation of my journey in cybersecurity exploration and web application vulnerability discoveries
Ethics Warning
All these explorations are for ethical learning and part of the process of becoming a beginner bug bounty hunter. Testing is only done on systems that have a bug bounty program or with permission from the system owner. No illegal activities were carried out in this process.
SQL Injection
April 2025Using the SQL Query to test for injection vulnerability, then proceeding with testing using sqlmap to confirm the vulnerability. Results indicated potential sensitive data extraction through improperly validated queries.
Predictive Hash on Password Reset URL
April 2025Attempting to predict the hash used in password reset URLs by analyzing hash formation patterns from several URL samples. The patterns found showed that the hash could be predicted with a certain level of accuracy due to the lack of random elements in its formation.
CSRF Token Reuse on Student Portal
April 2025Identifying that CSRF tokens were not regenerated on each request, allowing the same token to be reused for multiple operations. This creates a security vulnerability where attackers can use the same token to perform actions on behalf of authenticated users.
File Upload Bypass on Document System
April 2025Testing file upload vulnerabilities with techniques such as modifying file extensions to ".pdf.php" and performing MIME spoofing. Successfully uploaded PHP files that could be executed by the server through validation that only checked file extensions without in-depth content analysis.
Error Disclosure and Information Leakage
April 2024Successfully capturing error and debug information from servers that provided clues about database structure and server configuration. This information could potentially be used to compose further attacks as it revealed file paths, software versions, and database structure.
If you have a bug bounty program and would like to collaborate, contact me.