Business Logic Flaws Writeups

1. https://0xsha.io/posts/hunting-for-bounties-antihackme-case-study
2. https://blog.securitybreached.org/2020/01/22/user-account-takeover-via-signup-feature-bug-bounty-poc/
3. https://bugs.xdavidhu.me/google/2020/03/08/the-unexpected-google-wide-domain-check-bypass/
4. https://chainlover.blogspot.com/2018/11/love-story-of-account-takeover-chaining.html
5. https://eng.getwisdom.io/hacking-github-with-unicode-dotless-i/
6. https://ls-la.fyi/2018/09/28/subway-xposed/
7. https://medium.com/@04sabsas/bugbounty-writeup-creative-thinking-is-our-everything-race-condition-business-logic-error-2f3e82b9aa17
8. https://medium.com/@adeshkolte/cross-site-request-forgery-vulnerability-leads-to-user-profile-change-in-microsoft-express-logic-dc3481ab47ba
9. https://medium.com/@adnanmalikinfo110/i-want-that-cookie-8d2daab242ac
10. https://medium.com/@aneeskhan/paypals-security-check-bypassed-6a5a0cfcd816
11. https://medium.com/@ashokcpg/non-technical-write-up-on-my-second-bounty-of-1-000-from-facebook-74daecd6879b
12. https://medium.com/@ashokcpg/the-story-of-my-first-ever-1500-bounty-from-facebook-49eb64d26160
13. https://medium.com/@fortmay/design-flaws-scenario-one-and-fix-eb40de912038
14. https://medium.com/@godofdarkness.msf/account-takeover-flow-in-mail-ru-s-ext-a-domain-150-8952e8078211
15. https://medium.com/@gopalsingh/bypassing-how-i-hacked-googles-bug-tracking-system-itself-for-15-600-in-bounties-16134466ab15
16. https://medium.com/@jbgrunewald/how-i-made-7500-from-my-first-bug-bounty-found-on-google-cloud-platform-1a5415d7569b
17. https://medium.com/@jeppe.b.weikop/2fa-bypass-via-logical-rate-limiting-bypass-25ae2a4e1835
18. https://medium.com/@kishorehariram/account-taken-over-in-style-8a547342a5ad
19. https://medium.com/@lukeberner/how-i-abused-2fa-to-maintain-persistence-after-a-password-change-google-microsoft-instagram-7e3f455b71a1
20. https://medium.com/@manas_hunter/weak-session-validation-bug-let-you-login-even-after-changing-the-session-ids-and-logging-out-from-4bb3ee29a598
21. https://medium.com/@maxpasqua/chaining-two-vulnerabilities-to-break-facebook-appointment-times-for-the-second-time-ac639f8c8773
22. https://medium.com/@maxpasqua/unremovable-tags-in-facebook-page-reviews-656e095e69aa
23. https://medium.com/@milanmagyar/ggvulnz-how-i-hacked-hundreds-of-companies-through-google-groups-b69c658c8924
24. https://medium.com/@naufalseptiadi/live-video-facebook-application-android-its-not-expired-when-log-out-the-device-on-4d4e0b67b362
25. https://medium.com/@notsoshant/a-possibility-of-account-takeover-in-medium-8d950e547639
26. https://medium.com/@pratheesh.p.narayanan/bypassing-scratch-cards-on-google-pay-8915d5423385
27. https://medium.com/@pratheesh.p.narayanan/misconfiguration-whatsapp-messenger-1f0f1cf3ef00
28. https://medium.com/@raushanraj_65039/adding-a-malicious-notebook-to-be-treated-like-a-trusted-notebook-in-google-colab-1337-b84353a9f77
29. https://medium.com/@renwa/facebook-messenger-disclosing-deleted-messages-that-has-been-deleted-by-remove-for-everyone-1fb5a52cc7df
30. https://medium.com/@ritishkumarsingh/facebook-vulnerability-hidden-community-manager-in-pages-due-to-invitation-accept-logic-61ddbe229c97
31. https://medium.com/@ritishkumarsingh/facebook-vulnerability-hiding-from-the-view-of-business-admin-in-the-business-manager-a04515fee9dd
32. https://medium.com/@ritishkumarsingh/facebook-vulnerability-non-unfriendable-user-in-hacked-workflow-5a3b392a2a98
33. https://medium.com/@ritishkumarsingh/facebook-vulnerability-unremovable-co-host-in-facebook-group-events-13a9ea28b302
34. https://medium.com/@ritishkumarsingh/facebook-vulnerability-unremovable-co-host-in-facebook-page-events-695729d6a09d
35. https://medium.com/@ritishkumarsingh/facebook-vulnerability-unremovable-facebook-group-admin-2cbf4faf55c1
36. https://medium.com/@ritishkumarsingh/https-medium-com-ritishkumarsingh-facebook-vulnerability-hiding-from-facebook-page-admin-in-hacked-workflow-86f366f183c6
37. https://medium.com/@rohitcoder/business-user-employees-can-add-edit-change-or-apply-block-list-to-a-business-account-7b3e8aae667e
38. https://medium.com/@rohitcoder/bypassing-fix-of-domain-blocking-feature-in-business-manager-41949a18460c
39. https://medium.com/@rohitcoder/email-id-phone-number-can-be-exposed-through-business-manager-e79b970ea288
40. https://medium.com/@sandeepkumarsingh1902/bugbounty-adding-money-using-response-modification-334448d34251
41. https://medium.com/@saugatpokharel/cannot-delete-post-on-facebook-group-facebook-bug-bounty-4f2661655c3a
42. https://medium.com/@saugatpokharel/this-is-how-i-managed-to-win-2000-through-facebook-bug-bounty-a7d531d5097e
43. https://medium.com/@shahjerry33/business-logic-errors-a-new-look-3b18d9c2a12f
44. https://medium.com/@sivakrishnasamireddi/just-another-tale-of-severe-bugs-on-a-private-program-405870b03532
45. https://medium.com/@spade.com/how-i-registered-multiple-accounts-in-privateinternetaccess-vpn-service-for-free-a2068642f418
46. https://medium.com/bugbountywriteup/blocked-user-can-send-notification-due-to-logical-bug-in-instagram-first-instagram-bug-2bd09aa52f14
47. https://medium.com/bugbountywriteup/bypassing-instagrams-stories-restriction-5936f8a4f079
48. https://medium.com/bugbountywriteup/bypassing-the-fix-of-my-previous-instagram-bug-49ece4ea7e1d
49. https://medium.com/bugbountywriteup/exploiting-an-unknown-vulnerability-a752272ffd7f
50. https://medium.com/bugbountywriteup/google-maps-api-not-the-key-bugs-that-i-found-over-the-years-781840fc82aa
51. https://medium.com/bugbountywriteup/how-i-am-able-to-hijack-you-1cab793a01d1
52. https://medium.com/bugbountywriteup/make-any-unit-in-facebook-groups-undeletable-efb68e26adb9
53. https://medium.com/bugbountywriteup/vulnerable-design-leads-to-personal-data-leakage-yet-another-case-of-an-inter-application-8a9d7e2d0f1a
54. https://medium.com/ctf-writeups/breaking-the-competition-bug-bounty-write-up-ca7cb7bc53f5
55. https://medium.com/intigriti/abusing-autoresponders-and-email-bounces-9b1995eb53c2
56. https://medium.com/japzdivino/bypass-hackerone-2fa-requirement-and-reporter-blacklist-46d7959f1ee5
57. https://medium.com/japzdivino/harvesting-all-private-invites-using-leave-program-fast-tracked-invitation-and-security-email-a01c8b3ce76f
58. https://medium.com/japzdivino/security-teams-internal-attachments-can-be-exported-via-export-as-zip-feature-on-hackerone-35ca6ec2bf8b
59. https://medium.com/nassec-cybersecurity-writeups/page-admin-disclosure-facebook-bug-bounty-2020-8a45cf911e24
60. https://medium.com/nassec-cybersecurity-writeups/this-is-how-i-got-xxxx-from-facebook-for-instagram-bug-aaff50342246
61. https://noobe.io/articles/2020-01/how-i-found-bug-google-search-console
62. https://obsidianterminal.blogspot.com/2019/03/a-simple-account-takeover-misusing-jwt.html
63. https://philippeharewood.com/facebook-business-takeover/
64. https://philippeharewood.com/generate-valid-signatures-for-fbcdn-urls/
65. https://posts.specterops.io/abusing-slack-for-offensive-operations-2343237b9282
66. https://pratikyadav0.blogspot.com/2018/10/hello-everyone-took-some-time-from-my.html
67. https://rpadovani.com/facebook-responsible-disclosure
68. https://s1gnalcha0s.github.io/logic/2020/02/17/Google-Fiber.html
69. https://smaranchand.com.np/2019/05/how-i-acquired-xxx-bounty-by-investing-99-cents/
70. https://websecblog.com/vulns/bypassing-firebase-authorization-to-create-custom-goo-gl-subdomains/
71. https://whitehatfamilyguy.blogspot.com/2018/12/able-to-access-facebook-group-plan-even.html
72. https://wongmjane.com/post/pilot-info-fb-group-support/
73. https://www.inputzero.io/2019/09/telegram-privacy-fails-again.html
74. https://www.martinvigo.com/googlemeetroulette/
75. https://www.rodneybeede.com/security/slack-announcement-only-channel-post-restriction-bypass.html
76. https://www.symbo1.com/articles/2019/01/25/fb-change-product-availability-as-pageanalyst.html
77. https://www.tomanthony.co.uk/blog/xss-attacks-googlebot-index-manipulation/
78. https://ysamm.com/?p=404
79. https://ysamm.com/?p=50
80. https://ysamm.com/?p=68