Hola fellow researchers,

Myself, Rafi Ahamed. I am a Cyber Security Researcher from Bangladesh. I am a currently doing my BBA from University of Dhaka. But I do love nerdy stuffs. Let’s not waste any time & get down to our topic.

What is CSRF?

Cross-site request forgery, also known as one-click attack or session riding and abbreviated as CSRF or XSRF, is a type of malicious exploit of a website where unauthorized commands are submitted from a user that the web application trusts.

What is IDOR?

Insecure direct object references (IDOR) are a type of access control vulnerability that arises when an application uses user-supplied…


Hello fellow researchers,

Myself, Rafi Ahamed. I am a Cyber Security Researcher from Bangladesh. I love to break security. Anyway, without further ado let’s get to today’s topic.

Before I start, I wanna thank Katie Paxton for her videos. I learned a lot about IDORs from her videos. I actually earned my whole year’s bounty target just form IDORs that I learned from her videos.

What is IDOR?

Insecure direct object references (IDOR) are a type of access control vulnerability that arises when an application uses user-supplied input to access objects directly.

What is an API?

API is the acronym for Application Programming Interface, which is a…


Hallo fellow researchers,

Myself, Rafi Ahamed. I am a Cyber Security Researcher from Bangladesh. I love to do things differently. Anyway, without further ado let’s get to today’s topic.

Today’s topic is all about exploitation of API endpoints using AuthToken. Not about finding one.

Many of us finds AuthToken in our recon process but due not being able to show any impact this critical finding often gets rejected. I got rejected a few times myself.

What is an API?

API is the acronym for Application Programming Interface, which is a software intermediary that allows two applications to talk to each other. …


Hola fellow researchers,

Myself, Rafi Ahamed. I am a Cyber Security Researcher from Bangladesh. I am a currently doing my BBA from University of Dhaka. But I do love nerdy stuffs. Let’s not waste any time & get down to our topic.

First of all, don’t get confused with the title. By forcing I actually meant Forced Browsing.

What is Forced Browsing?

Forced browsing is an attack where the attacker aim to enumerate and access resources that are not referenced by the application, but are still accessible.

How did I find the bug?

Recently I was testing a private site in HackerOne and the site was selling educational videos. So…

Rafi Ahamed (Leonidas D. Ace)

Pentester/Bug Bounty Hunter & A typical Business Undergraduate. (https://www.facebook.com/rafiahamed.rupak.3)

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store