Writeups & out-of-band techniques
Real reports and techniques for confirming blind vulnerabilities — SSRF, Blind XSS, SSTI, OAuth, log4j JNDI and more. Every one was proven with an actual callback.
How I Turned a Support Chatbot Into a P1 SSRF
Prompt injection in a SaaS support chatbot with LLM tool-use, confirmed via DNS callback. From recon to P1 report.
read writeup →
The Support Form. Nobody Tests It.
Blind XSS injected into a support ticket subject line. 4 hours later — XSS hit from the admin panel. Session cookie. P1.
read writeup →
Nobody Sanitizes the Filename
Stored XSS via filename injection in an upload form. The file was harmless. The filename wasn't. Admin cookie captured.
read writeup →
I Rated It P4. My Teammate Made It P1.
Open redirect chained with OAuth redirect_uri to steal access tokens. Same bug, different perspective, very different severity.
read writeup →
Blind SSTI → DNS Exfiltration
Server-Side Template Injection with no visible output. Confirm Jinja2, Freemarker and Velocity SSTI using a DNS callback.
read writeup →
Blind SSRF → Internal SMTP Relay Detection
Detect and prove a blind SSRF that triggers internal SMTP connections — a technique most hunters miss by only listening for HTTP.
read writeup →log4j JNDI in 2026 — Still There, Still Exploitable
Log4Shell was patched in 2021, yet JNDI injection still fires in 2026. Where to find it, and how to prove it safely with a DNS-only PoC.
read writeup →
Why Internal IPs Matter
A callback is not enough. Why callbacks from private ranges (10.x, 172.16.x, 192.168.x) can change the severity of an SSRF report.
read writeup →Reading is recon. Catching is the bounty.
Spin up an HTTP, DNS, SMTP or Blind XSS listener and turn your next blind bug into a valid report.
⚡ get a hunting key — $5/mo