Welcome to Medusa's Blog! :tada: on Medusa0xf

Welcome to Medusa's Blog! :tada: on Medusa0xf https://medusa0xf.com/ Recent content in Welcome to Medusa's Blog! :tada: on Medusa0xf Hugo -- gohugo.io en © 2026 Medusa0xf Tue, 17 Mar 2026 21:53:25 +0100 MCP Servers Explained: The New AI Attack Surface https://medusa0xf.com/posts/mcp-servers-explained/ Tue, 17 Mar 2026 21:53:25 +0100 https://medusa0xf.com/posts/mcp-servers-explained/ MCP Servers Explained: The New AI Attack Surface # What is MCP? IDOR Leads to Unauthorized Deletion: How I Earned $500 in Bug Bounty https://medusa0xf.com/posts/idor-leads-to-unauthorized-deletion-how-i-earned-500-in-bug-bounty/ Sat, 08 Nov 2025 11:55:35 +0100 https://medusa0xf.com/posts/idor-leads-to-unauthorized-deletion-how-i-earned-500-in-bug-bounty/ During bug hunting, I discovered an IDOR vulnerability that allowed unauthorized deletion of resources across accounts within the same tenant. How I Found an Account Takeover Bug in the Forgot Password Flow https://medusa0xf.com/posts/how-i-found-an-account-takeover-bug-in-the-forgot-password-flow/ Tue, 23 Sep 2025 21:55:35 +0100 https://medusa0xf.com/posts/how-i-found-an-account-takeover-bug-in-the-forgot-password-flow/ While I was hunting on a target, I came across an acquisition related to it, so I decided to look around the new domain. How I Found a $3000 IDOR Vulnerability in a Delivery App https://medusa0xf.com/posts/how-i-found-a-3000-idor-vulnerability-in-a-delivery-app/ Sat, 13 Sep 2025 20:57:35 +0100 https://medusa0xf.com/posts/how-i-found-a-3000-idor-vulnerability-in-a-delivery-app/ Recently, I was hunting on a target that I can’t disclose because of its responsible disclosure program, even though it’s public. Bypassing Rate Limit in GraphQL https://medusa0xf.com/posts/bypassing-rate-limit-in-graphql/ Thu, 05 Dec 2024 19:43:35 +0100 https://medusa0xf.com/posts/bypassing-rate-limit-in-graphql/ What is GraphQL? Exploiting DOM for Open Redirect Attacks https://medusa0xf.com/posts/exploiting-dom-for-open-redirect-attacks/ Fri, 22 Nov 2024 22:30:35 +0100 https://medusa0xf.com/posts/exploiting-dom-for-open-redirect-attacks/ What is Open Redirect Vulnerability? Exploiting insecure output handling in LLMs https://medusa0xf.com/posts/exploiting-insecure-output-handling-in-llms/ Sun, 21 Jul 2024 12:42:00 +0100 https://medusa0xf.com/posts/exploiting-insecure-output-handling-in-llms/ Introduction # In the previous blog, I discussed indirect prompt injection and its potential applications. Indirect prompt injection https://medusa0xf.com/posts/indirect-prompt-injection/ Sun, 14 Jul 2024 12:04:37 +0100 https://medusa0xf.com/posts/indirect-prompt-injection/ Learn about the risks and techniques of indirect prompt injection in Large Language Models (LLMs). Privacy Policy for medusa0xf https://medusa0xf.com/policy/ Mon, 08 Jul 2024 21:34:37 +0100 https://medusa0xf.com/policy/ Last updated: July 08, 2024 Exploiting vulnerabilities in LLM APIs https://medusa0xf.com/posts/exploiting-vulnerabilities-in-llm-apis/ Sat, 29 Jun 2024 22:34:07 +0100 https://medusa0xf.com/posts/exploiting-vulnerabilities-in-llm-apis/ What is OS command injection? Exploiting LLM APIs with excessive agency https://medusa0xf.com/posts/exploiting-llm-apis-with-excessive-agency/ Sat, 22 Jun 2024 23:04:07 +0100 https://medusa0xf.com/posts/exploiting-llm-apis-with-excessive-agency/ What is Excessive Agency in LLM API? What is LLM APIs and how they work? https://medusa0xf.com/posts/what-is-llm-apis-and-how-they-work/ Tue, 18 Jun 2024 15:04:37 +0100 https://medusa0xf.com/posts/what-is-llm-apis-and-how-they-work/ What is an LLM API? HTTP Parameter Pollution vs Mass Assignment https://medusa0xf.com/posts/http-parameter-pollution-vs-mass-assignment/ Tue, 04 Jun 2024 22:20:35 +0100 https://medusa0xf.com/posts/http-parameter-pollution-vs-mass-assignment/ In this blog, we are going to see the difference between HTTP parameter pollution and mass assignment. Understanding and Testing Authentication methods in REST API https://medusa0xf.com/posts/testing-auth-methods-in-rest-api/ Thu, 09 May 2024 21:21:37 +0100 https://medusa0xf.com/posts/testing-auth-methods-in-rest-api/ What is Authentication? API Basics: A Hacker's Starter Guide https://medusa0xf.com/posts/api-basics-hsg/ Thu, 21 Mar 2024 21:42:37 +0100 https://medusa0xf.com/posts/api-basics-hsg/ What is an API? Exploiting SQL Injection in Graphql | DVGA | https://medusa0xf.com/posts/sqli-in-graphql-dvga/ Sun, 17 Mar 2024 21:39:37 +0100 https://medusa0xf.com/posts/sqli-in-graphql-dvga/ This article covers exploiting SQL Injection manually in a Graphql Application. How to Discover API Subdomains? | API Hacking | https://medusa0xf.com/posts/api-subdomains/ Tue, 12 Mar 2024 22:05:37 +0100 https://medusa0xf.com/posts/api-subdomains/ How to Discover API Subdomains? Server Side Parameter Pollution in Rest API path parameter https://medusa0xf.com/posts/server-side-parameter-pollution/ Mon, 04 Mar 2024 11:50:00 +0001 https://medusa0xf.com/posts/server-side-parameter-pollution/ What is Server Side Parameter Pollution? How to Perform CSRF Attack in GraphQL https://medusa0xf.com/posts/csrf-in-graphql/ Tue, 16 Jan 2024 22:05:37 +0100 https://medusa0xf.com/posts/csrf-in-graphql/ What is a CSRF Attack? Broken Object Level Authorization Vs. Broken Functionality Level Authorization | API Hacking https://medusa0xf.com/posts/api-broken-auth/ Mon, 13 Jun 2022 20:55:37 +0100 https://medusa0xf.com/posts/api-broken-auth/ In this blog, we will explore two significant security vulnerabilities: Broken Object Level Authorization (BOLA) and Broken Functionality Level Authorization (BFLA) in APIs. API https://medusa0xf.com/topics/api/ Mon, 01 Jan 0001 00:00:00 +0000 https://medusa0xf.com/topics/api/ Web https://medusa0xf.com/topics/web/ Mon, 01 Jan 0001 00:00:00 +0000 https://medusa0xf.com/topics/web/