Hi Folks! hope you all doing well it’s being a long time since I do a write-up, so this write-up is all about my tweet Exploiting/Chaining auto-save functionality to takeover the victim account. Make sure to follow @xSaadAhmed and @SecurityFoster for more upcoming amazing write-ups & tools.

Exploiting/Chaining auto-save functionality to takeover victim account.

So without wasting…


Hi Folks! hope you all doing good so I am back with another amazing way of bypassing the WAF which is blocking me from weaponizing the XSS, Without wasting any time let get started.

The XSS part is very simple my input is reflecting inside the HREF in <a> e.g…


Hello friends this write-up is about how I bypassed the CORS validation. Let assume the website name redact.com. Simply I logged into the website checked for CSRF attack but there was a Current Password pram which means if I am able to bypass, there is a CSRF protection. …


Hello friends, I hope you all are doing well, so this write up is all about how I chained the two different vulnerabilities to update the victim account details. Let’s assume the website name is redacted.com

So when I visited the profile page https://redacted.com/editinfo/& tried to change the account details…


Hi guys I hope you all are doing good so this write-up is all about the accidental IDOR that I found in the PRIVATE program, so let’s assume the name redacted.com.


Hi guy I hope you all are fine this POC is all about how I convert the Self XSS To Evil XSS so let assume the site PRIVATE.COM

The first step simply sign-up and login to the account & start playing with the change account details functionality after some time…


Hy Guy’s this write up is all about my SQL Injection that I found in PRIVATE program running on BugCrowd

let assume website name subdomain.private.com/registro/login. when i visit the site I saw the strange behavior this is the admin panel & the website reload it self again & again so…


Hello guy’s I am back with another POC again this bug I found in PRIVATE program using on bugcrowd so without wasting the time let get started!

let assume the website private.com I created an account looking for CSRF Account Takeover but the website is secure & there is CSRF…


Hi guy I am back with another POC that I found in PRIVATE program on bugcrowd let get started. So let assume the SITE name private.com I was testing the main website and after crawling I come to know that the server is WINDOWS

I didn’t find any thing on…


Hi Guy,

After a long time i decided to share some of my finding & contribute to this awsm community. This write up is all about the IDOR that i found in PRIVATE program that I hunting from past 1 Year.

Saad Ahmed

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store