Google did an Oopsie: a simple IDOR worth $3,133.7

Writeup Bug Bounty Hacking Google

Sometimes the bounty is hidden in plain sight — a simple IDOR by changing the Google Drive file ID.

02 February 2025

The forgotten content : information disclosure and reflected XSS on Tokopedia

Writeup Bug Bounty Hacking

How I found a ‘should be deleted’ content that disclose some sensitive information and vulnerable to reflected XSS on Tokopedia’s website.

01 June 2020

The Unexpected Bounty: A Story of Zendesk Takeover on REDACTED.com

Writeup Bug Bounty Hacking

A good faith powered report of subdomain takeover that ends up with a bounty, even though the company itself doesn’t have a Bug Bounty Program.

25 January 2020

How i bought a subdomain of Tokopedia’s website (yeah you read it right)

Writeup Bug Bounty Hacking

A subdomain of tokopedia’s website is pointed to an expired Top-Level-Domain available to buy, so obviously I go ahead and buy it.

20 January 2020

How Inspect Element lead to Subfolder takeover and Stored XSS on Bukalapak’s website

Writeup Bug Bounty Hacking

A unique high severity misconfiguration I found on Bukalapak website that lead to Subfolder takeover and stored XSS, by only inspecting an HTML element on their webpage.

23 December 2019