HACKERBADGER

HACKERBADGER

Breaking things. Writing it down.

HACKERBADGER
Visual_ID: HACKERBADGER

Latest Research

[RECORDS_FOUND: 43]

Tanuki: IDOR to Account Takeover

2026.04.22
BugForge easy Authorization Bypass (IDOR)

Part 1: Pentest Report

#webapp #idor #broken-access-control #account-takeover #cwe-639 #bugforge

Cheesy Does It: Discount Code Stacking via Array Type Confusion

2026.04.21
BugForge easy Business Logic / Type Confusion

#business-logic #type-confusion #mass-assignment-blocked #bugforge

FurHire: Second-Order Blind Boolean SQLi + Role Self-Assignment

2026.04.19
BugForge medium Second-Order Blind Boolean SQL Injection

Part 1 — Pentest Report

#sqli #second-order-sqli #blind-boolean #sqlite #mass-assignment #role-escalation #bugforge #webapp

Cafe Club: UNION-based SQL Injection + Plaintext Password Storage

2026.04.19
BugForge easy UNION-based SQL Injection

Part 1 — Pentest Report

#sql-injection #union-based #sqlite #plaintext-passwords #cwe-89 #cwe-256 #bugforge

Gift Lab: Admin Bypass via Predictable adminAccessToken Cookie

2026.04.18
BugForge medium Broken Access Control

Overview Platform: BugForge Vulnerability: Admin authorization bypass via predictable adminAccessToken cookie Key Technique: Compared the cookie acros...

#broken-access-control #weak-randomness #cookie-prediction #admin-bypass #brute-force

Sokudo: GraphQL Authorization Bypass + Plaintext Password Exposure

2026.04.16
BugForge easy GraphQL Authorization Bypass

Part 1 — Pentest Report

#graphql #broken-access-control #authorization-bypass #plaintext-password #api-security #bugforge
analytics

Activity Log

[2026.04.22] New writeup published: Tanuki: IDOR to Account Takeover
[2026.04.21] New writeup published: Cheesy Does It: Discount Code Stacking via Array Type Confusion
[2026.04.19] New writeup published: FurHire: Second-Order Blind Boolean SQLi + Role Self-Assignment
[2026.04.19] New writeup published: Cafe Club: UNION-based SQL Injection + Plaintext Password Storage
[2026.04.18] New writeup published: Gift Lab: Admin Bypass via Predictable adminAccessToken Cookie
construction

Toolkit

web v0.3.0
Caido Workbench
SQLi and JWT workbench plugin for Caido proxy.
speed v1.2.0
Race
HTTP/2 single-packet race condition testing.
key v1.0.0
JWTForge
JWT creation, modification, and signing tool.
more_horiz
More Coming
Additional tools in development.