Hey, I'm Prayers. I'm a 21-year-old security researcher. I've been awarded multiple rewards and appreciation letters in bug bounties for securing critical infrastructure and the open web.
I specialize in identifying critical failures in large-scale systems. Here are some of my most significant disclosures.
0-Click Account Takeover via Punycode Email Manipulation in Password Reset Function
An infinite reaction bug was identified on MSN (Microsoft News), where users can repeatedly trigger the “reaction” functionality on comments without proper server-side validation or rate limiting. This flaw could allow manipulation of engagement metrics and potential abuse of the platform’s interaction system.
A Reflected Cross-Site Scripting (XSS) vulnerability (CVE-2025-0133) was identified on a Sony web application, where unsanitized user input is reflected in the server’s response without proper encoding. This flaw allows an attacker to inject malicious scripts that execute in a victim’s browser, potentially leading to session hijacking or data theft.
Found leaked cached API responses contain confidential financial information including transaction details, customer payment data, merchant banking details, and authorization credentials.
An improper access control vulnerability was identified in AMD, where unauthenticated users were able to access backend infrastructure functionality due to missing authorization checks. This issue could allow attackers to interact with internal services, potentially leading to data exposure or unauthorized actions.
An exposed API credentials vulnerability was identified in Criminal IP, where sensitive Twitter (X) API keys were publicly accessible due to improper security controls. This issue could allow unauthorized access to the associated account, enabling actions such as data retrieval, posting, or account manipulation.
Found leaked credentials which allowed read and write operation in the internal environment.
Found leaked cached API responses contain confidential financial information including transaction details, customer payment data, merchant banking details, and authorization credentials.
Discovered restricted API endpoints returning 403 Forbidden responses can be accessed through Wayback Machine. This authentication bypass allows access to potentially sensitive API data that should be properly authenticated and authorized.
An information disclosure vulnerability was identified in TVH, where a publicly accessible env.js file exposed sensitive configuration details such as API endpoints or keys. This exposure could allow attackers to gather internal information and potentially exploit related services.
The languages and tools I use to uncover vulnerabilities.
Building custom scanners and automation tooling
Network analysis, interception, and reverse engineering
Where I deploy code and engage with the community
Open source tools and scanners I've built to automate the hunt.
FinderX – Go-Based JavaScript Asset Discovery & Secret Hunting Pipeline Automated subdomain enumeration, JS extraction, and sensitive data detection for authorized security testing.
OriginFinder is a multi-source reconnaissance tool that uncovers real origin IPs behind CDNs using intelligence aggregation, confidence scoring, and active verification.
SubTakerX is a high-performance Go CLI tool for detecting subdomain takeover vulnerabilities using DNS analysis, fingerprinting, and automated HTTP probing.
ZerOn is an AI-powered automated penetration testing platform that leverages LLM reasoning to perform intelligent reconnaissance, vulnerability detection, and professional security reporting.
Zybl is the next-gen Sybil-resistance layer for Web3. Real people. Real proofs. Real revenue.
AppSec is a full-stack application security system that combines multi-factor authentication, real-time intruder detection, and alerting to protect apps from unauthorized access.
#Security