| Report Title | Event ID | Severity | Vulnerability Type |
|---|---|---|---|
| IDOR on /api/qa.php | FirstBlood v1 | High | Insecure direct object reference |
| /attendees/event.php authoriation bypass using X-SITE-REQ: permitted | FirstBlood v1 | CRITICAL | Information leak/disclosure |
| Invite Code Leaked on Reddit leading to broken Authorisation | FirstBlood v1 | High | Auth issues |
| Invite codes do not expire after use | FirstBlood v1 | High | Auth issues |
| IDOR on ma.php | FirstBlood v1 | High | Insecure direct object reference |
| IDOR 2 on ma.php - confirms numerical id for bug chain to report 127 without the need for drpanel | FirstBlood v1 | High | Insecure direct object reference |
| Docauth cookie used to amend email - Additionally chained with Rpt 127 and 129 - This is the full report. | FirstBlood v1 | High | Insecure direct object reference |
| CWE-601 Open Redirect on GET /drpanel/logout.php via ref param | FirstBlood v1 | Low | Open Redirect |
Getting started
Learn about vulnerability types 
Getting started in bug bounties 
Test your knowledge
Free Web Application Challenges
Guides for your hunts 
ZSeano's Methodology
Effective Note Taking for bug bounties
Useful Resources 
Disclosed HackerOne Reports 
Our community
Endorsed Members
Hackevents 
Member Articles