AI 资讯
Using AI to find authorization bugs — and to prove the ones that aren't real
Using AI to find authorization bugs — and to prove the ones that aren't real Draft flagship post. Safe to publish now (no undisclosed vulnerabilities). The production case study referenced at the end is withheld pending coordinated disclosure. In 2026, bug bounty programs started closing their doors. Nextcloud suspended paid rewards, citing a flood of AI-generated, low-quality reports. Mattermost ended its program. The Internet Bug Bounty cut payouts by roughly 80%. The common thread isn't that AI can't find bugs — it's that most AI-assisted "findings" are plausible but wrong , and triage teams are drowning in them. That reframes the problem. The scarce skill in 2026 isn't generating candidate vulnerabilities — a language model will hand you fifty before lunch. It's refuting the forty-nine that don't hold . The differentiator is a method whose primary output is correct negatives . Here's the method I use for source-available targets, and a worked example where the honest result was "there's no bug here." The method: fan out to find, converge to refute Two stages, two different cost tiers: Fan-out (cheap models). Split the target's authorization surface into subsystems and read each in parallel. Each reader's only job is to surface candidate broken invariants — places where an object is loaded by ID without an owner check, where a protected action might skip a re-auth gate, where two code paths authorize the same thing differently. Optimize for recall. Expect mostly false positives. Adversarial verification (an expensive, high-reasoning model). Take each candidate and try to kill it. Default to REFUTED. A candidate survives only if you can cite the specific source lines proving the guard is absent and the dangerous path is reachable and nothing upstream already blocks it. Frame every survivor as a broken invariant — a one-sentence statement of the rule the system must never violate — and classify it as core versus config-dependent. The output that matters most is the
AI 资讯
I Built a Freelance Alternative Where Anyone Can Claim Your Bounty
How I Built a Real-Time Bounty Marketplace with Supabase and 14-Layer Edge Security I wanted to build a platform where anyone can post a task (a "bounty"), set a reward, and have people complete it with verifiable proof. Think freelance work, but optimized for quick, composable task completion — with proof submission as the core trust mechanism. The result is BountyClaimer — a real-time marketplace running on Supabase + Vercel with a security system baked into Edge middleware and scattered across every layer of the stack. 🛠️ The Tech Stack Frontend: React + Vite + TypeScript Backend: Supabase (PostgreSQL, Realtime, Storage, Auth) Payments: Stripe Hosting: Vercel (Edge Middleware) Security: Custom "Armadillo" system (14 layers) Architecture Pattern: Phoenix Architecture for real-time state consistency 🔄 The Core Workflow Post — A user posts a bounty with a reward and description Claim — Others browse and claim available bounties Submit — The claimer completes the work and submits proof (images, video, audio, text, files) Settle — The bounty owner reviews and approves — funds are released Sync — Real-time updates keep both sides in sync instantly The hardest parts were real-time state sync across multiple users , anti-abuse without hurting legitimate users , and security at the edge . 🏛️ The Phoenix Architecture One pattern I'm particularly proud of is what I call the Phoenix Architecture — a real-time state management approach that ensures every client sees the same truth without polling. The core idea: instead of each client fetching data and hoping it's current, database changes (bounty status updates, proof submissions, claim state transitions) are broadcast out via Supabase Realtime. Every connected client receives the same event stream and updates locally. // The Phoenix pattern — subscribe to changes once, // update locally from the event stream const channel = supabase . channel ( `entity- ${ id } ` ) . on ( ' postgres_changes ' , { event : ' * ' , schema : '
AI 资讯
IDOR BugBounty Labs: 5 Realistic Challenges to Master Insecure Direct Object Reference
An intentionally vulnerable e-commerce platform that teaches you to find, exploit, and understand IDOR vulnerabilities — the way they actually appear in the wild. Let's talk about the most deceptively simple vulnerability in web security: IDOR . On paper, it sounds trivial — change a number in the URL, access someone else's data, collect your bounty. But anyone who's spent real time hunting knows the truth: IDORs in production applications are rarely that obvious. They hide in request bodies, lurk inside multi-step workflows, and disguise themselves behind modern frontend frameworks that abstract away the very IDs you're supposed to manipulate. That gap — between textbook IDOR and real-world IDOR — is exactly where IDOR BugBounty Labs lives. What Is IDOR BugBounty Labs? It's an open-source, Node.js/Express e-commerce application built with one purpose: to give you a realistic playground for practicing IDOR attacks. Not simulated. Not theoretical. Intentionally vulnerable, locally hosted, and designed to mirror the complexity of actual Bug Bounty targets. Built with Express and TailwindCSS, it simulates a functioning online store — complete with user accounts, orders, addresses, support tickets, notification settings, and a checkout flow. Every feature contains at least one authorization flaw waiting to be exploited. Why This Lab Is Different Most IDOR labs give you one obvious URL parameter to change and call it a day. This one doesn't. IDOR BugBounty Labs includes: 5 distinct challenges ranging from easy to hard 3 different IDOR types: URL parameters, request bodies, and hidden body parameters Both read and write IDORs — accessing data and modifying it Multi-step business logic that mimics real e-commerce flows A flag submission system so you can verify your findings The challenges don't just teach you to change an ID. They teach you to think about where IDs live, how they're passed, and what happens when authorization checks are missing. The 5 Challenges 1. Read O
AI 资讯
How AI Hunts Vulnerabilities: A Security Researcher's New Partner
The Transition A few years ago, bug hunting was a manual craft. You scanned subdomains with one tool, tested endpoints with another, and stitched results together by hand. Today, AI changes the speed entirely. Not by replacing the hunter. By eliminating the boring parts. What AI Actually Changes 1. Reconnaissance at Scale Subdomain enumeration, port scanning, and technology fingerprinting used to take hours. AI-powered pipelines now do this in minutes: Passive reconnaissance via Certificate Transparency logs, search engines, and DNS records Automated crawling and endpoint discovery Technology stack detection from response headers and HTML patterns JavaScript file analysis for hidden endpoints and API keys The machine does the grunt work. The human interprets the results. 2. Pattern Recognition Vulnerability classes have signatures. SQL injection looks different from XSS, which looks different from SSRF. AI models trained on thousands of real vulnerabilities can flag suspicious patterns faster than manual code review. This is not about finding zero-days. It is about catching the low-hanging fruit that everyone else misses because they are in a hurry. 3. Intelligent Fuzzing Traditional fuzzers throw random data at endpoints and wait for crashes. AI-guided fuzzers understand the input format and generate test cases that explore edge cases a human would not think of. The result: fewer requests, better coverage, higher signal-to-noise ratio. Where AI Struggles Business Logic Flaws AI does not understand your application's purpose. It cannot tell if a discount code is applied twice, or if a user can access another user's private data through a convoluted API flow. These are the vulnerabilities that require context. Human context. Authentication Logic Authentication bypasses are often creative. They exploit the gap between what the developer intended and what the code actually enforces. AI can find simple auth flaws, but multi-step authentication bypass chains still need h
AI 资讯
Raising the bar: Quality, shared responsibility, and the future of GitHub’s bug bounty program
We're updating our bug bounty program standards to prioritize quality submissions, clarify shared responsibility boundaries, and evolve how we reward low-risk findings. The post Raising the bar: Quality, shared responsibility, and the future of GitHub’s bug bounty program appeared first on The GitHub Blog .