HACKERBADGER
Breaking things. Writing it down.
Visual_ID: HACKERBADGER
Latest Research
GalaxyDash: Server-Side Template Injection → Secret Disclosure
2026.06.19
BugForge
medium
Server-Side Template Injection (Context Traversal)
Part 1: Pentest Report
Ottergram: Broken Access Control on an Admin DELETE Verb
2026.06.18
BugForge
easy
Broken Access Control
Part 1: Pentest Report
Sokudo: GraphQL Authorization Bypass via Introspection-Off Field Suggestions
2026.06.17
BugForge
easy
GraphQL Authorization Bypass
Part 1: Pentest Report
FurHire: Client-Side Path Traversal to Account Takeover
2026.06.15
BugForge
hard
Client-Side Path Traversal to Account Takeover
Part 1: Pentest Report
CopyPasta: API Token Name Confusion to Cross-User Impersonation
2026.06.15
BugForge
easy
Token-Name Identity Confusion
Part 1: Pentest Report
CopyPasta: IDOR Snippet Delete (Broken Object-Level Authorization)
2026.06.12
BugForge
easy
IDOR / Broken Object-Level Authorization
analytics
Activity Log
[2026.06.19]
New writeup published: GalaxyDash: Server-Side Template Injection → Secret Disclosure
[2026.06.18]
New writeup published: Ottergram: Broken Access Control on an Admin DELETE Verb
[2026.06.17]
New writeup published: Sokudo: GraphQL Authorization Bypass via Introspection-Off Field Suggestions
[2026.06.15]
New writeup published: FurHire: Client-Side Path Traversal to Account Takeover
[2026.06.15]
New writeup published: CopyPasta: API Token Name Confusion to Cross-User Impersonation
construction
Toolkit
v0.3.0
Caido Workbench
SQLi and JWT workbench plugin for Caido proxy.
v1.2.0
Race
HTTP/2 single-packet race condition testing.
v1.0.0
JWTForge
JWT creation, modification, and signing tool.
More Coming
Additional tools in development.