top of page


Live BugBounty Hunt - May 2, 2026
Bug Hunting 5/2/2026 - LIVE We began with an overview of the importance of ethical bugbounty hunting, and the seriousness of staying in scope when bug hunting. We were hunting around the Intigriti RedBull client: https://app.intigriti.com/researcher/programs/redbull/redbull/detail. I personally like that target because there are close to 6k (yes, that’s six thousand!) URL’s within scope, and the target doesn’t require custom headers, etc. (I still mostly “announce” mysel
icanhaspii
May 24 min read


Bug Hunting New Tool 5/2/2026
Bug Hunting 5/2/2026 - New Tool for Hunting for Endpoints There is no shortage of tools for Security Researchers, I like free ones, but I do try to give back to the community as well, and I encourage you...if you find a tool that is useful to you, let the author know, even if you can’t donate, you can always send a kind thank-you note. OK, with that out of the way, there’s a wonderful tool that we can use to help us find endpoints on a target. I believe it was originally d
icanhaspii
May 22 min read


BugForge Write-Up 3/25/2026
BugForge Daily Challenge 3/25/2026 - Gift Lab Hint: Base64 is interesting. Note: @PawPawHacks/Tom Fieber : If there is an admin account active for a lab, the credentials are admin:admin123 I launched Caido. I checked to see if there was an admin login using the set/known creds, but there was not. Next , I created a new user account, and once logged in, the platform behaved a lot like a to-do list site: I poked around a bit, trying to see everything I could do with the app an
icanhaspii
Mar 253 min read


BugForge Write-Up 3/24/2026
BugForge Daily Challenge 3/24/2026 - CopyPasta HINT: Broken Access Control. Note: @PawPawHacks/Tom Fieber : If there is an admin account active for a lab, the credentials are admin:admin123 I launched Caido. I checked to see if there was an admin login using the set/known creds, and there was. I logged out of that for now. Following along with the video walkthrough from @PawPawHacks/Tom Fieber , he said that you will want to create two user accounts for this challe
icanhaspii
Mar 242 min read


BugForge Write-Up 3/22/2026
BugForge Daily Challenge 3/22/2026 - Cheesy Does It Hint: IDOR. Can you view things that don't belong to you? Note: @PawPawHacks/Tom Fieber : If there is an admin account active for a lab, the credentials are admin:admin123 I launched Caido. I checked to see if there was an admin login using the set/known creds, and there was. I logged out of that for now. The challenge hint stated this was an IDOR challenge and following along with the @PawPawHacks/Tom Fieber w
icanhaspii
Mar 222 min read


BugForge Write-Up 3/16/2026
BugForge Daily Challenge 3/16/2026 - Cheesy Does It Hint: Can you tamper with the price via the tip feature? Note: @PawPawHacks/Tom Fieber : If there is an admin account active for a lab, the credentials are admin:admin123 I launched Burp. I checked to see if there was an admin login using the set/known creds, and there was. I logged out of that for now. I created a user account and was taken to an app that appeared to behave a lot like an online pizza shop: Next, foll
icanhaspii
Mar 172 min read


BugForge Write-Up 3/14/2026
BugForge Daily Challenge 3/14/2026 - OtterGram Hint: GraphQL. Note: @PawPawHacks/Tom Fieber : If there is an admin account active for a lab, the credentials are admin:admin123 Also, my write-up is basically me just following along with the @PawPawHacks/Tom Fieber video walkthrough . I launched Caido. I checked to see if there was an admin login using the set/known creds, but there was not. I created a user account, and once logged in, the app appeared to behave a lot
icanhaspii
Mar 155 min read


BugForge Write-Up 3/13/2026
BugForge Daily Challenge 3/13/2026 - Gift Lab Hint: Can you craft a token? Author’s Note: I followed along with the @_shadowforge__ write-up to solve this one. It was a privilege to read a write-up from the author of the challenge themself! I will say, that even though I solved the challenge (which was a triumph I felt great about, because it was only due to what I’ve learned thus far doing these daily BugForge challenges), afterward I was feeling like I wasn’t 10
icanhaspii
Mar 144 min read


BugForge Write-Up 3/10/2026
BugForge Daily Challenge 3/10/2026 - Tanuki Hint: Mass assignment. Can you register as a user with more privileges? Note: @PawPawHacks/Tom Fieber : If there is an admin account active for a lab, the credentials are admin:admin123 Also, my write-up is basically me just following along with the @PawPawHacks/Tom Fieber video walkthrough . I found the following quote from him really helpful: >>This is a mass assignment lab, so basically what mass assignment means i
icanhaspii
Mar 102 min read


BugForge Write-Up 3/9/2026
BugForge Daily Challenge 3/9/2026 - Cheesy Does It Hint: Can [you] apply the discount multiple times? Note: @PawPawHacks/Tom Fieber : If there is an admin account active for a lab, the credentials are admin:admin123 I launched Caido. I checked to see if there was an admin login using the set/known creds, and there was. I logged out of that for now. I created a user account and was taken to an app that appeared to behave a lot like an online pizza shop. Immediately upon
icanhaspii
Mar 93 min read


BugForge Write-Up 3/6/2026
BugForge Daily Challenge 3/6/2026 - Shady Oaks Financial Hint: JWT Note: @PawPawHacks/Tom Fieber : If there is an admin account active for a lab, the credentials are admin:admin123 I launched Caido. I checked to see if there was an admin login using the set/known creds, but there was not. I created a user account and was taken to a Dashboard which mimicked a real online trading platform: Following along with the @PawPawHacks/Tom Fieber video walkthrough , over in
icanhaspii
Mar 75 min read


BugForge Write-Up 3/5/2026
BugForge Daily Challenge 3/5/2026 - Sokudo Hint: Broken access control. Are there API endpoints that the frontend isn't using? Note: @PawPawHacks/Tom Fieber : If there is an admin account active for a lab, the credentials are admin:admin123 I launched Caido. I checked to see if there was an admin login using the set/known creds, and there was. I logged out of that for now. Following along with the @PawPawHacks/Tom Fieber video walkthrough , I created a user account, an
icanhaspii
Mar 52 min read


BugForge Write-Up 3/4/2026
BugForge Daily Challenge 3/4/2026 - CopyPasta Hint: SQL Injection. Note: @PawPawHacks/Tom Fieber : If there is an admin account active for a lab, the credentials are admin:admin123 I launched Caido. I checked to see if there was an admin login using the set/known creds, but there was not. I created a user account and was taken to an app that appeared to behave a lot like PasteBin, so I poked around a bit, trying to see everything I could do with the app and generatin
icanhaspii
Mar 52 min read


BugForge Write-Up 3/3/2026
BugForge Daily Challenge 3/3/2026 - Tanuki Hint: SSRF. Note: @PawPawHacks/Tom Fieber : If there is an admin account active for a lab, the credentials are admin:admin123 I launched Caido. I checked to see if there was an admin login using the set/known creds, and there was. I logged out of that for now. I created a user account and was taken to an app that appeared to behave a lot like an online trivia/game platform: Next , following along w/ both the @_shado
icanhaspii
Mar 32 min read


BugForge Write-Up 3/2/2026
BugForge Daily Challenge 3/2/2026 - Cheesy Does It Hint: Broken Logic. Note: @PawPawHacks/Tom Fieber : If there is an admin account active for a lab, the credentials are admin:admin123 I launched Caido. I checked to see if there was an admin login using the set/known creds, but there was not. I created a user account and was taken to an app that appeared to behave a lot like an online pizza shop. I then ordered and paid for a delivery of a pizza. Once the pizza arrived,
icanhaspii
Mar 31 min read


BugForge Write-Up 3/1/2026
BugForge Daily Challenge 3/1/2026 - CafeClub Hint: File Inclusion. Note: @PawPawHacks/Tom Fieber https://www.youtube.com/@pawpawhacks : If there is an admin account active for a lab, the credentials are admin:admin123 I launched Caido. I checked to see if there was an admin login using the set/known creds, and there was. I logged out of that for now. I created a user account and was taken to an app that appeared to behave a lot like an online store/coffee retailer
icanhaspii
Mar 12 min read


BugForge Write-Up 2/28/2026
BugForge Daily Challenge 2/28/2026 - OtterGram Hint: Can you edit comments? Note: @PawPawHacks/Tom Fieber: If there is an admin account active for a lab, the credentials are admin:admin123 I launched Caido. I checked to see if there was an admin login using the set/known creds, and there was. I logged out of that for now. I created a user account, and once logged in, the app appeared to behave a lot like InstaGram. I could send messages, "like" messages, etc. so I po
icanhaspii
Feb 282 min read


BugForge Write-Up 2/22/2026
BugForge Daily Challenge 2/22/2026 - FurHire Hint: Your window is small, you might have to try multiple times. Note: @PawPawHacks/Tom Fieber : If there is an admin account active for a lab, the credentials are admin:admin123 I launched Burp. I checked to see if there was an admin login using the set/known creds, but there was not. Next, I created a Job Seeker account and was taken to an app that appeared to behave a lot like an online job search platform. Following along w/
icanhaspii
Feb 282 min read


BugForge Write-Up 2/26/2026
BugForge Daily Challenge 2/26/2026 - Sokudo Hint: Can you find API endpoints on a different path? Note: @PawPawHacks/Tom Fieber : If there is an admin account active for a lab, the credentials are admin:admin123 I launched Caido. I checked to see if there was an admin login using the set/known creds, but there was not. I created a user account, and once logged in, the app appeared to be an online platform to test your typing speed. I tried to do everything I could with the ap
icanhaspii
Feb 273 min read
bottom of page