Collection of Good Articles

XSS

• https://santhosh-adiga-u.medium.com/xss-in-2025-the-payloads-that-still-work-3aa343e0b4f2
• https://youtu.be/CejJWjyokFA

Blind XSS

• https://infosecwriteups.com/unmasking-blind-xss-a-hackers-guide-to-high-paying-bounties-fc9e6ced5b0b

SQLI

• https://medium.com/@frostnull/sql-injection-through-user-agent-44a1150f6888

RCE

• https://www.vulnano.com/2025/09/remote-code-execution-though.html
• https://medium.com/@HX007/a-journey-of-limited-path-traversal-to-rce-with-40-000-bounty-fc63c89576ea

Account TakeOver (ATO)

• https://nullsecurityx.codes/0-click-account-takeover-using-punycode
• https://infosecwriteups.com/1000-bounty-account-takeover-via-host-header-injection-in-password-reset-flow-dc0cdb2d972b
• https://rocky1696.medium.com/account-takeover-via-csrf-in-google-oauth-binding-target-com-6ccc40403ce0
• https://medium.com/legionhunters/this-oauth-bug-earned-me-account-takeover-via-identity-injection-27774f65288c

Subdomain TakeOver

• https://freedium.cfd/https%3A%2F%2Fmedium.com%2Fdevelopersglobal%2Fsubdomain-takeover-levels-recursive-caf2046f4481

WAF

• https://blog.ethiack.com/blog/bypassing-wafs-for-fun-and-js-injection-with-parameter-pollution
• https://www.sysdig.com/blog/fuzzing-and-bypassing-the-aws-waf

PHP

• https://www.synacktiv.com/publications/php-filter-chains-file-read-from-error-based-oracle

Third Party / Supply chain

• https://www.landh.tech/blog/20250610-netflix-vulnerability-dependency-confusion
• https://medium.com/@shehzadinfosec1337/software-supply-chain-attack-npm-dependency-confusion-b8c35daf0bad

2FA

• https://www.nccgroup.com/research-blog/testing-two-factor-authentication/

Web Cache Deception

• https://medium.com/legionhunters/just-one-click-to-leak-all-victim-information-54599e3b6268

API Hunt

• https://senukdias.medium.com/automate-the-api-hunt-api-reverse-engineering-%EF%B8%8F-6a8d724f6f7e

Race Conditions

• https://medium.com/@mahdisalhi0500/race-conditions-are-not-just-for-bypassing-plan-limits-1cd63aa0d6f7
• https://www.yeswehack.com/fr/learn-bug-bounty/ultimate-guide-race-condition-vulnerabilities

Cloud

• https://ice0.blog/docs/openfirebase

AI

• https://infosecwriteups.com/persistent-xss-vulnerability-on-microsoft-bings-video-indexing-system-a46db992ac7b
• https://www.linkedin.com/posts/adityasunny06_adityasunny06-cybersecurity-ethicalhacking-activity-7368124191847387136-1dK5
• https://blog.securitybreak.io/introducing-promptintel-1624d03045a3?gi=2bf7a33edc75

Emoji

• https://medium.com/@ankitrathva/emoji-reaction-to-vertical-privileges-escalation-f6824436910a

Subdomain

• https://medium.com/ai-apocalypse/how-to-use-gemini-as-a-scraper-51d2d56cb9e8
• https://medium.com/ai-apocalypse/window-object-subdomain-recon-tip-cf74d746ca59

MISC

• https://trufflesecurity.com/blog/anyone-can-access-deleted-and-private-repo-data-github
• https://trufflesecurity.com/blog/postman-carries-lots-of-secrets
• https://sonarsource.github.io/mxss-cheatsheet/
• https://deepwiki.com/s0md3v/XSStrike
• https://blog.whiteflag.io/blog/browser-cache-smuggling/
• https://medium.com/geekculture/main-app-bug-bounty-methodology-v3-e6310e21b88e