Crius

 It's been  a while since i wrote anything related to bug bounty or hacking.In that time i have had some interesting and bad experiences with bug bounty programs.from fast responses to scam external  programs I won't be naming/ shaming the programs but soon i will put up a comprehensive list of scam programs to avoid. Let's talk about some of the bugs; 1. Authentication bypass via path normalization i was hunting on some match matching/dating site.after finding subdomains via crt.sh and fuzzing the subdomains with a wordlist.i found a login page;  min.site.com I started to fuzz to files with ffuf with a custom wordlist.with no result i looked for sqli but found non.tried response manipulation.again failed I was about to give up then i click on a png file.deleted the pic.png and got 403 error.using script https://github.com/iamj0ker/bypass-403 on it i  could list images on the server! https://login.site.com/images// I tried https://login.site.com// also https://...