HACKERBADGER

Breaking things. Writing it down.

Visual_ID: HACKERBADGER

Latest Research

[RECORDS_FOUND: 54]

Part 1: Pentest Report

#bugforge #predictable-session #session-token #cwe-330 #cwe-620 #account-takeover #unauthenticated

Cheesy Does It: Account Takeover via 4-Digit OTP Brute Force on Password Reset

2026.05.06

BugForge easy Password Reset OTP Brute Force

#bugforge #webapp #account-takeover #otp-brute #missing-rate-limit #password-reset #username-enumeration #cwe-307 #cwe-330 #cwe-204

DiceForge: User-Agent Paywall Bypass

2026.05.05

BugForge easy Broken Access Control via User-Agent Spoofing

Overview Platform: BugForge Vulnerability: Broken access control on POST /api/quantum. The premium roller endpoint is gated on a substring match against...

#bugforge #broken-access-control #paywall-bypass #user-agent-spoofing #webapp

Sokudo: Predictable Bearer Token + Timestamp Leak via Leaderboard

2026.05.02

BugForge medium Predictable Bearer Token + Sensitive Timestamp Disclosure

Part 1 — Pentest Report

#bugforge #webapp #broken-authentication #predictable-token #information-disclosure #cwe-330 #cwe-200

analytics

Activity Log

[2026.05.09] New writeup published: FurHire: SSRF to Internal Reporting Endpoint

[2026.05.08] New writeup published: Tanuki: Arbitrary File Read via XXE on XML Deck Import (2026-05-08 rotation)

[2026.05.08] New writeup published: Copypasta: Predictable Session Token + Unverified Password Change

[2026.05.06] New writeup published: Cheesy Does It: Account Takeover via 4-Digit OTP Brute Force on Password Reset

[2026.05.05] New writeup published: DiceForge: User-Agent Paywall Bypass

construction

Toolkit

web v0.3.0

Caido Workbench

SQLi and JWT workbench plugin for Caido proxy.

speed v1.2.0

Race

HTTP/2 single-packet race condition testing.

key v1.0.0

JWTForge

JWT creation, modification, and signing tool.

more_horiz

More Coming

Additional tools in development.