HACKERBADGER

HACKERBADGER

Breaking things. Writing it down.

HACKERBADGER
Visual_ID: HACKERBADGER

Latest Research

[RECORDS_FOUND: 33]

Galaxy Dash: Server-Side Prototype Pollution

2026.04.11
BugForge medium Prototype Pollution

Overview Platform: BugForge Vulnerability: Server-Side Prototype Pollution → Price Bypass Key Technique: Exploiting vulnerable deep merge on organizat...

#prototype-pollution #nodejs #express #deep-merge #price-bypass #server-side

Gift List: OTP Recipient Manipulation → Admin Access

2026.04.09
BugForge easy Authentication Bypass

Overview Platform: BugForge Vulnerability: OTP Recipient Manipulation (Authentication Bypass) — admin login send-code endpoint accepts arbitrary usernam...

#otp-bypass #auth-bypass #parameter-manipulation #bugforge

Copypasta: UNION-Based SQL Injection

2026.04.08
BugForge easy SQL Injection

Overview Platform: BugForge Vulnerability: SQL Injection (UNION-based) — share_code path parameter concatenated directly into SQL query Key Technique:...

#sqli #union-injection #sqlite #credential-extraction

Tanuki: JWT None-Algorithm Bypass

2026.04.07
BugForge easy Authentication Bypass

Overview Platform: BugForge Vulnerability: JWT None-Algorithm Bypass leading to admin privilege escalation Key Technique: Forging an unsigned JWT with...

#JWT #none-algorithm #authentication-bypass #privilege-escalation

Cheesy Does It: Client-Side Price Tampering

2026.04.06
BugForge easy Client-Side Price Tampering

Overview Platform: BugForge Vulnerability: Client-Side Price Tampering — Server Trusts Client-Sent Prices Key Technique: Modifying the amount, unit_pr...

#price-tampering #client-side-trust #api-security #e-commerce

Cafe Club: Business Logic — Till Payment Bypass

2026.04.06
BugForge easy Business Logic

Overview Platform: BugForge Vulnerability: Business Logic Flaw — Hidden Purchase Type Bypasses Payment Key Technique: Fuzzing the checkout type parame...

#payment-bypass #API #parameter-fuzzing
analytics

Activity Log

[2026.04.11] New writeup published: Galaxy Dash: Server-Side Prototype Pollution
[2026.04.09] New writeup published: Gift List: OTP Recipient Manipulation → Admin Access
[2026.04.08] New writeup published: Copypasta: UNION-Based SQL Injection
[2026.04.07] New writeup published: Tanuki: JWT None-Algorithm Bypass
[2026.04.06] New writeup published: Cheesy Does It: Client-Side Price Tampering
construction

Toolkit

web v0.3.0
Caido Workbench
SQLi and JWT workbench plugin for Caido proxy.
speed v1.2.0
Race
HTTP/2 single-packet race condition testing.
key v1.0.0
JWTForge
JWT creation, modification, and signing tool.
more_horiz
More Coming
Additional tools in development.