May 30, 2026

The Dumbest Bug I Ever Found (And Why Complexity Is Overrated)

Three hours of complex testing. Four seconds of clicking a link.

Decline

2 min read

I spent three hours testing a site once. Real deep dive. Burp Suite running. Manual payloads. Checking headers, parameters, weird endpoints. Found nothing.

Then I got annoyed and just started clicking around like a regular user.

Clicked a link. Saw the URL had ?redirect=/dashboard. Changed it to ?redirect=https://google.com.

It worked. Open redirect. Took four seconds.

I stared at my screen for a good minute wondering why I just wasted three hours on complex stuff when the dumbest test possible worked immediately.

– -

The Bug That Made Me Question Everything

This one still makes me laugh.

There was a site where you could reset your password. Normal flow. Enter email, get link, set new password.

I tested everything. Token expiration. Rate limiting. Host header injection. User enumeration. Nothing.

Then I looked at the reset link they emailed me.

https://target.com/reset?token=xyz123&email=me@example.com

See that email= parameter in the URL? I changed it to victim@example.com and kept the same token.

It worked. I reset someone else's password using my own token.

The server never checked if the token belonged to that email. It just trusted whatever email was in the URL.

That was a $2500 bug. Complete account takeover. And it took me less than a minute to find once I actually looked at the URL.

The developer just forgot to link the token to the email address on the backend. Such a small mistake. Such a big payout.

– -

Why We Overcomplicate Things

Here's what I learned from that.

When you've been hunting for a while, you start thinking every bug needs a fancy exploit. SQL injection with 20 characters of payload. Blind XSS with a complicated bypass. Race conditions that take ten tries to trigger.

But most bugs are stupid simple.

The developer forgot to check something. The parameter isn't validated. The endpoint has no authentication. That's it. No magic.

The hard part isn't finding complex bugs. The hard part is remembering to check the simple stuff even when you think you're past that.

– -

My "Dumb Check" List That Still Pays

I keep this list in my notes. Takes five minutes. I run through it on every target before I do anything else.

Change the ID – If you see ?id=123 anywhere, change it to 1, 2, 456, admin, me, null, -1. Just click around like a toddler.

Remove the parameter – Delete ?token=xyz from a URL and see if it still works. Sometimes the server doesn't actually check it.

Add a parameter – Try ?debug=true or ?test=1 on random endpoints. Sometimes debug modes are left on.

Check the redirect – Any URL with next=, redirect=, return=, url=, change it to https://google.com.

Try the obvious endpoints – /admin, /backup, /old, /test, /dev, /api, /v1, /swagger, /graphql. You'd be shocked how many are open.

Look at the email – Any link sent to your email, examine every parameter. Change the email address if you see one.

Try empty values – Send a request with {"name": ""} or {"amount": 0} or {"id": null}. Error handlers are often broken.

Most of these won't work. But the ones that do take zero skill to find. And they still pay.

– -

The Embarrassing Truth

I've found more bugs by being lazy than by being clever.

The open redirect from the first story? Four seconds. The password reset thing? Maybe a minute. There was another time I found an admin panel because I just typed /admin into the URL. Not even a scan. Just typed it.

Meanwhile, the bugs I spent hours on? Half of them were duplicates or false positives.

So now I start dumb. Every single time. I pretend I'm someone who doesn't know anything and just click around breaking things randomly. Then after that, I get serious.

– -

What I Want You To Take From This

You don't need to know 100 exploits. You don't need the latest tool. You don't need to understand how the framework works under the hood.

You just need to be curious and a little annoying.

Change numbers. Delete stuff. Add stuff. Click things that look like you shouldn't click them. Most of the time nothing happens. But sometimes you get $2500 for changing an email address in a URL.

That's bug hunting. It's not that deep.

– -

If this made you feel better about not knowing everything, clap and follow. Tomorrow I'm writing about how to find bugs when you're completely stuck – the mindset shift that got me out of a three-week dry spell.