If you vibe-code you need to learn at least basic security concepts. Here is a short list:.Thread 🧵. 1. Never hardcode your API in code use .env.1. XSS attacks.2. CSRF.3. RLS policies.4. SQL Injections.5. Authentication.6. Understand server side vs client side.More. Lets dive.

New Blog Post!.Still think CSRF is dead in 2025? Think again. I just published a write-up with real-world CSRF findings — from GET requests to tricks with application/json and text/plain. 🔗 Read it here: #BugBounty #WebSecurity #CSRF

yay, i was awarded X0,000$ from meta. // csrf to change account privacy . #bugbounty

95% of self-XSS vulns are exploitable. In cases of OAuth or a page containing sensitive information + login/logout CSRF -> ATO or info leak. I’ve previously tweeted a white box challenge based on a real-world example, you can practice with it :]

Check the source code for hidden endpoints. Found admin endpoint to delete user in source code, used normal user's cookies and CSRF token and able to delete any account on the platform. #bugbountytips @Hacker0x01

CSRF → Command Execution in MCP

@centralreality Caralho. Não fizeram sanitização e validação no back, cagaram pro trânsito HTTPS), fodasse Token CSRF e medidas contra XSS, 0 Mascaramento de dados sensíveis. Quem quiser fazer um scraping. tá no paraíso kkkkkkk

I’m currently learning CSRF. What vulnerability are you working on?

Day 49/60 – #60DaysOfLearning2025.📩 Built a working Contact Us page in Django.🔐 Added CSRF protection & POST form submission.🎨 Clean UI with Bootstrap form & hero image.#Django #Bootstrap #WebDevelopment #100DaysOfCode #AI4ALL @lftechnology

CSRF cookie not set for the millionth time

🧠 CSRF on Email Change → Account Hijack.1️⃣ No CSRF token on email change request.2️⃣ Attacker tricks victim into visiting crafted page.3️⃣ Hidden form submits: email=attacker@evil.com.4️⃣ Victim’s account email updated silently.🎯 Attacker can reset password & TO.#bugbounty #csrf

یک زبان برنامه نویسی آینده دار انتخاب کن.ساختار داده و الگوریتم‌ها رو خوب یاد بگیر.مفاهیم OOP و طراحی ماژولار رو به خوبی درک کن.حداقل یک پایگاه داده رو تسلط کامل داشته باش.CSRF و SQL Injection رو کامل مطالعه کن و رعایت کن.حتما داکر یاد بگیر.

well, here's CVE-2025-6771 - a post-auth (admin only, exploitable via CSRF) RCE in Ivanti EPMM that we found while analysing CVE-2025-4427 and CVE-2025-4428.

🚨Security Advisories🚨: multiple vulnerabilities in Retool (@retool), including host header injection and CSRF - discovered by Doyensec and the Robinhood (@RobinhoodApp) Red team! . #doyensec #appsec #security #retool #robinhood

First bug on YesWeHack. Total time spent on target - 20hrs.Bug found - x2 CSRF (still trying to maximize impact of the second).Status - RTFS ❌. We keep pushing. Better days 💪🏽🔥

CSRF Bug Hunt On a Vulnerable Website

Today, I learned about CSRF . The lab’s email change functionality is vulnerable to CSRF. It uses tokens to try to prevent CSRF attacks, but the tokens aren’t integrated into the site’s session handling system. @ireteeh.@40sp3 @RedHatPentester @Dghost_Ninja @elormkdaniel @h4ruk7

Sharing a mini technique, useful to increase chances of scoring a successful CSRF attack in JSON endpoints, such as GraphQL or REST APIs. Enjoy!.

🧠 OAuth ‘state’ CSRF → Account Takeover.1️⃣ App uses OAuth (e.g. Google login).2️⃣ state param missing or predictable.3️⃣ Attacker initiates OAuth flow, gets valid code.4️⃣ Sends victim to callback with attacker’s code.🎯 Victim’s session linked to attacker’s account.#bugbounty