Full-time web penetration tester, Part-time Bugcrowd junkie.

Joined May 2021
Good example of some of the fun ways you can hunt IDORs. I found two today where all I had to do was change a "10" to a "1000000" in the URL path and I got a million accounts back instead of Top 10. Whoops!
This is a very good resource (IDOR mindmap, covers more than 10 testcases): xmind.net/m/CSKSWZ/#
1
5
0
31
I got flooded with questions recently. Common theme: how do I pick which program to hack at? I only pick programs which interest me, have a fast response time, pay well, that do not out-law most vulnerabilities, and are simple to get started with. Slow response time is💩
1
1
0
48
For those of you looking to get started in bug hunting, check out the Bugcrowd blog series where I share some tips and tricks to help you get going! Thanks @Bugcrowd for letting me share this information and making it easy for us to get the job done! bugcrowd.com/blog/zwinks-tip…
1
13
0
62
I get asked what tools I use to find bugs a lot. Answer: Windows 10 (I wouldn't lie), Firefox, Burpsuite Professional, Python if needed, and my brain. Best add-on for Burpsuite - "BurpJSLinkFinder". It parses all your JS looking for hidden hyperlinks as you visit pages.
4
53
1
267
When you are bounty hunting large programs, do not start with the front door (obvious stuff)! Santa Clause uses the chimney to break into peoples houses. Look for chimneys in the applications you test (the less popular end points), and work backwards from there. Treasure hunt!!
0
7
0
80
GIF
$112K+ with a single program in < 6 months. I am posting this to encourage bug hunters to stay with one program longer and dive deeper, NOT to boast! I am blessed! Test manually, dive deeper! You can make tons of $$ bug hunting. Look for IDOR's, easy $$ scanners miss. #bugcrowd
29
84
8
666
Nothing like finding 4 x P1s in just a few hours! A bot would not have found these, so remember bug hunters, test manually and read through code yourself looking for strange functions and URL calls, you may find buried treasure. They haven't automated the human brain. #bugcrowd
7
15
1
332