Welcome to Disclosed.
Hey there! It’s been a super busy month as I dive headfirst into the new role at HackerOne and help support all of the Live Hacking Events going on. Currently in Amsterdam to support the next event, but taking a quick break to bring you guys the latest news. Lots of great stuff to cover.
Let’s dive in.
In This Issue
How a "Fixed" IDOR and an Empty String Led to 5 Million+ File Leaks [📓 Blog]
By hacktus
This blog post analyzes an Insecure Direct Object Reference (IDOR) vulnerability in a financial application that resulted in the leak of over 5 million files. It details how a seemingly secure file ID was bypassed through API manipulation using empty strings, exposing sensitive data. The step-by-step exploitation process is outlined, emphasizing the importance of strong server-side access controls.
Read more →
HackerOne Launches An AI Report Assistant Agent [📓 Announcement]
by HackerOne
The Report Assistant from HackerOne helps you structure, refine, and speed up your submissions — ensuring no detail gets missed.
Bugcrowd Acquires MayhamSec [📓 Announcement]
by Bugcrowd
Bugcrowd has acquired Mayhem Security to combine its global hacker community with Mayhem’s AI-driven offensive security platform, creating a unified, human-augmented AI system for continuous, proactive vulnerability detection and remediation.
OpenAI Launches Aardvark for Automated Vulnerability Discovery [🔗 Article]
by OpenAI
Aardvark, powered by GPT-5, acts as an autonomous security researcher that detects and remediates vulnerabilities across codebases — now available in private beta.
Explore →
Have something you want to Spotlight? Tell me.
Double Payouts on Valid Findings in Chime [🔗 Tweet]
by bugcrowd
Hackersgiving by Chime offers double payouts for valid findings from November 1 to December 3, 2025, incentivizing researchers to uncover vulnerabilities.
View the tool →
A Tight Finish at Hacker Showdown [🔗 Tweet]
by @Bugcrowd
For the first time in Hacker Showdown history, the competition ends in a tie! Judges are recalculating impact scores to break the deadlock between One P1 and The Black Hat Cartel. The winner announcement has been postponed until Tuesday.
Explore →
HackerOne Heads to Amsterdam for H1-3120 | Community Day [🔗 Tweet]
by @Hacker0x01
HackerOne is hosting H1-3120 in Amsterdam — a free, full-day event packed with AI, social engineering, and protocol security sessions. Network with top researchers and the HackerOne team on November 6 at the Hyatt Regency.
Explore →
Upcoming Live Bug Bounty Event for Students [🔗 Tweet]
by YesWeHack ⠵
A Live Bug Bounty event will occur on November 7 for students from six schools, providing a unique opportunity to discover bugs on exclusive targets over a 9-hour period.
View the tool →
MINDEF Launches New Bug Bounty Programme with YesWeHack [🔗 Tweet]
by YesWeHack ⠵
The Ministry of Defence has partnered with YesWeHack to launch a Bug Bounty Programme focused on enhancing cyber resilience and protecting critical digital infrastructure.
View the tool →
Did I miss an important update? Tell me.
New Burp Suite Extension for Next.js Analysis [🔗 Tweet]
by payloadartist
This tweet introduces a new Burp Suite extension that facilitates the analysis of Next.js Server Actions, offering a fresh approach for vulnerability researchers.
View the tool →
Introducing OpenAPI Tester Plugin for Caido Store [🔗 Tweet]
by Caido
The 'OpenAPI Tester' plugin enables users to test API endpoints by simply importing OpenAPI specifications or Postman collections with one click.
View the tool →
Nuclei Template Generator for CVE and POC Analytics [📁 Tool]
by ethicxlhuman
A GitHub-hosted tool that generates Nuclei templates from CVE reports and POCs, enhancing vulnerability management effectiveness.
View the tool →
Introducing Samoscout: Advanced Subdomain Discovery Tool [🔗 Tweet]
by samet g.
Samoscout is an open-source tool combining various passive discovery methods with active enumeration for effective subdomain discovery, featuring an LLM for predicting undiscovered domains.
View the tool →
Have a favorite tool? Tell me.
RootSys | Next.js and the Mutated Middleware [📓 Blog]
by Dominik Prodinger
This post examines a critical Server-Side Request Forgery (SSRF) vulnerability (CVE-2025-57822) in Next.js middleware that enables attackers to control HTTP requests and observe responses. It outlines the discovery process, exploit experimentation, and associated security impacts, including cache poisoning. The authors stress the importance of secure practices when using Next.js middleware.
Read more →
Vibecoding my way to a crit on Github [📓 Blog]
by Furbreeze
The author shares their experience of exploiting a dependency confusion vulnerability in GitHub, which led to remote code execution. The post covers methodologies used, including package file analysis with Burp Intruder and the creation of a Ruby gem payload for DNS exfiltration. The narrative includes the bounty payout process and critiques the GitHub security team's communication.
Read more →
How IDOR and Business Logic Flaw Exposed PII [📓 Blog]
by Parth Narula
This blog illustrates a critical IDOR vulnerability discovered during a penetration test, wherein manipulating the User ID in the URL allowed access to other users' email addresses post-OTP validation. It emphasizes that IDOR can exist beyond typical API endpoints and underlines the necessity of server-side authorization checks.
Read more →
Did I miss an important update? Tell me.
Financial Horror Hacks, Okta Takeover & Zero-Click IoT Exploit [▶️ Video]
by Critical Thinking Bug Bounty Podcast
Justin, Joseph, and Brandyn share spine-chilling stories of real-world hacks — from financial nightmares to IoT device takeovers — in this special spooky-season episode.
Watch now →
Automatically Color Code Requests in Burp with PwnFox [🔗 Tweet]
by Bugcrowd
This tweet showcases a technique for using PwnFox to color code requests in Burp Suite, enhancing the management of multiple accounts.
Watch Video →
New Video Tutorial on Broken Access Control Techniques [🔗 Tweet]
by zack0x01
A newly posted YouTube video highlights Broken Access Control techniques, made upon request from the bug bounty community.
Watch Video →
Automating Bug Bounty Tasks with n8n.io [🔗 Tweet]
by Nahamsec Ben Sadeghipour
This video provides a demonstration of using n8n.io to automate task management for bug bounty hunters.
Watch Video →
Understanding IDOR Exploitation Through Simple Changes [🔗 Tweet]
by YesWeHack ⠵
The video explains how minor changes can lead to Identifier-Based Object Replacement (IDOR) vulnerabilities.
Watch Video →
Did I miss something? Tell me.
Creating Custom Wordlists for Hidden Content Discovery [🔗 Tweet]
by Intigriti
The importance of custom wordlists in bug bounty hunting is highlighted, with a focus on naming conventions and keywords that can improve content discovery.
View the tool →
The ultimate Bug Bounty guide to HTTP request smuggling | YesWeHack [📓 Blog]
by YesWeHack
This guide comprehensively explains HTTP request smuggling vulnerabilities, supported by attack scenarios and the differing ways servers handle requests. It provides practical examples for exploitation and security mitigation strategies.
Read more →
Understanding Cross-Site Scripting (XSS) for Beginners [🔗 Tweet]
by bugcrowd
This educational video discusses Cross-Site Scripting (XSS), a common web security vulnerability, providing insights into identification and significance for beginners.
View the tool →
Syntax Confusion: Exploiting Ambiguous Parsing in the Wild [🔗 Article]
by @yeswehack
A practical deep dive into “syntax confusion” — techniques that exploit parser differences across headers, URLs, Unicode, file URIs, and more — with checklists, case studies, and mitigation tips.
Read more →
Comprehensive Guide on Reflected XSS Vulnerabilities [🔗 Tweet]
by Intigriti
This tweet refers readers to a detailed article on reflected XSS vulnerabilities, a prevalent web security threat.
View the tool →
Essential Tips for Writing Effective Bug Reports [🔗 Tweet]
by bugcrowd
Key points for creating impactful bug reports are highlighted, emphasizing professionalism, clear reproduction steps, and avoiding exaggeration. A video link for further insights is included.
View the tool →
Essential Checklist for Hacking JWT Keys [🔗 Tweet]
by Intigriti
A practical checklist for security researchers focused on exploiting JSON Web Token (JWT) keys is provided.
View the tool →
Did I miss something? Tell me.
CORS Misconfiguration Exploitation Cheat Sheet Released [🔗 Tweet]
by Intigriti
This tweet presents a cheat sheet for testing CORS misconfigurations, aiding in determining the exploitability of vulnerabilities.
View the tool →
Using Proxy Endpoints to Discover Microservice Paths [🔗 Tweet]
by Rikesh Baniya
This tweet discusses leveraging dot notation in proxy endpoints to trigger redirects, which can reveal underlying microservice API paths for improved mapping and fuzzing.
View the tool →
Cursor's Built-In Browser Enables DOM XSS Discovery [🔗 Tweet]
by sw33tLie
The addition of a built-in browser in the Cursor tool enhances researchers' ability to detect DOM XSS and other client-side vulnerabilities.
View the tool →
Effective Payloads for Bypassing 403 Errors [🔗 Tweet]
by VIEH Group
This tweet shares effective payloads designed to bypass 403 Forbidden errors, providing a resource for vulnerability testing.
View the tool →
Using Google Dorks to Find Internal Test Environments [🔗 Tweet]
by Yassin
This tweet reveals a Google Dork for exposing internal test environments in web applications, aiding in vulnerability discovery.
View the tool →
Exploiting Cloudflare WAF for Reflected XSS [🔗 Tweet]
by VIEH Group
This tweet showcases a successful technique to exploit a Cloudflare WAF for reflected XSS by directly printing the URL within JavaScript.
View the tool →
Manual Fuzzing Tips for ID Parameters in Hacking [🔗 Tweet]
by André Baptista
This tweet shares effective manual fuzzing techniques for ID parameters, encouraging testers to explore various inputs to unveil vulnerabilities.
View the tool →
Successful Bypass of Azure WAF Using XSS Payload [🔗 Tweet]
by xss0r
This tweet discusses a successful method of bypassing the Azure Web Application Firewall (WAF) using a crafted XSS payload, illustrating a real-world exploitation scenario.
View the tool →
Did I miss something? Tell me.
Because Disclosure Matters: This newsletter was produced with the assistance of AI. While I strive for accuracy and quality, not all content has been independently vetted or fact-checked. Please allow for a reasonable margin of error. The views expressed are my own and do not reflect those of my employer.