HACKERBADGER

HACKERBADGER

Breaking things. Writing it down.

HACKERBADGER
Visual_ID: HACKERBADGER

Latest Research

[RECORDS_FOUND: 51]

Cheesy Does It: Account Takeover via 4-Digit OTP Brute Force on Password Reset

2026.05.06
BugForge easy Password Reset OTP Brute Force

#bugforge #webapp #account-takeover #otp-brute #missing-rate-limit #password-reset #username-enumeration #cwe-307 #cwe-330 #cwe-204

DiceForge: User-Agent Paywall Bypass

2026.05.05
BugForge easy Broken Access Control via User-Agent Spoofing

Overview Platform: BugForge Vulnerability: Broken access control on POST /api/quantum. The premium roller endpoint is gated on a substring match against...

#bugforge #broken-access-control #paywall-bypass #user-agent-spoofing #webapp

Sokudo: Predictable Bearer Token + Timestamp Leak via Leaderboard

2026.05.02
BugForge medium Predictable Bearer Token + Sensitive Timestamp Disclosure

Part 1 — Pentest Report

#bugforge #webapp #broken-authentication #predictable-token #information-disclosure #cwe-330 #cwe-200

Tanuki: Mass Assignment via Registration Role Field

2026.04.29
BugForge easy Mass Assignment

Part 1: Pentest Report

#mass-assignment #broken-access-control #jwt #bugforge #webapp

Cheesy Does It: JWT HS256 Weak Secret to Admin Role Flip

2026.04.28
BugForge easy JWT Weak Secret / Role Flip

#jwt #hs256 #weak-secret #role-flip #hashcat #bugforge

DiceForge: OS Command Injection on POST /api/roll

2026.04.26
BugForge easy OS Command Injection

Part 1 - Pentest Report

#command-injection #rce #bugforge #webapp #express #node #json-body-injection
analytics

Activity Log

[2026.05.06] New writeup published: Cheesy Does It: Account Takeover via 4-Digit OTP Brute Force on Password Reset
[2026.05.05] New writeup published: DiceForge: User-Agent Paywall Bypass
[2026.05.02] New writeup published: Sokudo: Predictable Bearer Token + Timestamp Leak via Leaderboard
[2026.04.29] New writeup published: Tanuki: Mass Assignment via Registration Role Field
[2026.04.28] New writeup published: Cheesy Does It: JWT HS256 Weak Secret to Admin Role Flip
construction

Toolkit

web v0.3.0
Caido Workbench
SQLi and JWT workbench plugin for Caido proxy.
speed v1.2.0
Race
HTTP/2 single-packet race condition testing.
key v1.0.0
JWTForge
JWT creation, modification, and signing tool.
more_horiz
More Coming
Additional tools in development.