Bug Bounty & Security Research

Software Engineering @ McMaster · Bug Bounty Hunter since 2021 · Web & Mobile Security Researcher

Writeups on XSS, IDOR, auth bypasses, privilege escalation, and more.

A Post Title That Took Over Your Account

A post title got reflected into a script tag, which gave me stored XSS. From there I pulled the victim’s session token from an API endpoint and reset their password without the old one. One click, full account takeover.

June 22, 2026 · 4 min · Youssef Elsayyad

Unauthenticated DB Access and Account Takeover via a Leaked Staging Domain

A hostname referenced inside a production JavaScript bundle pointed at a staging environment where every /api/admin/* route was reachable without authentication, including one that returned a password reset link for any user ID.

May 9, 2026 · 5 min · Youssef Elsayyad

Forcefully Joining Private Servers via Shared Invite ID Namespace

How I discovered that a staging environment shared its invite ID namespace with production, allowing an attacker to generate invite codes on staging and use them to forcefully join random private servers on production — including invite-only ones.

April 17, 2026 · 5 min · Youssef Elsayyad

Hello World — Why I Started This Blog

Introducing my security research blog — what to expect and why I’m writing.

April 17, 2026 · 1 min · Youssef Elsayyad