Insha Jabeen
I'm a Security Researcher and Bug Bounty Hunter with a passion for web and API security. I hunt vulnerabilities on HackerOne, break down complex security flaws into content that others can learn from, and share my work through detailed write-ups, videos, and blogs. Here's my main website: medusa0xf.com
About me
I'm Insha, a Security Researcher specializing in web application and API security. I have hands-on experience conducting internal penetration tests, API security assessments, and technical report writing through my 6-month research internship at Traceable with Harness. During this role, I worked with tools like Traceable Sonar to analyze API traffic, uncover vulnerabilities, and provide detailed remediation steps, strengthening the overall security posture of internal systems.
Previously, I worked for over 1.5 years as a Content Writer at Akto, where I created technical guides and articles for engineers, pentesters, and developers on topics such as penetration testing, API security best practices, and common web vulnerabilities.
Beyond professional roles, I actively hunt for vulnerabilities on HackerOne and share my research through my blog and YouTube channel, making complex security concepts easier to understand for the community.
Projects
Project
A detailed write-up of how I uncovered an Insecure Direct Object Reference (IDOR) vulnerability in a delivery app that earned a $3000 bounty. This article walks through my approach, the tools I used, and the techniques applied, making it a practical learning resource for both hackers and developers.
How I Found a $3000 IDOR Vulnerability in a Delivery App
Introduction: Recently, I was hunting on a target that I can't disclose because of its responsible disclosure program, even though it's public...
Project
A practical video guide on misconfigured AWS S3 buckets โ one of the most common cloud security issues and a prime target for bug bounty hunters. In this video, I explain how S3 buckets work, the mistakes developers often make, and how attackers exploit them, with real-world examples and testing techniques you can apply.
Project
A complete video guide to OAuth 2.0 flows, explained with real examples from Okta and OAuth Playground. This walkthrough covers how each flow works, common security pitfalls, and practical testing tips, perfect for bug bounty hunters, pentesters, and developers looking to strengthen their understanding of OAuth.
Project
An episode of my Snake Bytes podcast diving into Dependency Confusion โ the supply chain attack that let a researcher slip malicious packages into companies like Microsoft, Apple, and PayPal. I unpack how the hack worked, why it was so impactful, and what both hackers and developers can learn from it.
You can listen to the full episode on Spotify
Tweets
Hey hackers๐
— Medusa (@medusa_0xf) August 24, 2025
How do you Pentest/Bughunt on Salesforce applications, also any good resources for it?
The series is finally completed!
— Medusa (@medusa_0xf) June 25, 2025
All PortSwigger Web Cache Deception Labs Explained! ๐ ๐ฅ https://t.co/pwN6h6qyhqpic.twitter.com/mzfKJAshOG
Can you spot the API Vulnerability? ๐#Hacking#APIpic.twitter.com/ZUOLxhlFjy
— Medusa (@medusa_0xf) October 31, 2023
New Blog!
— Medusa (@medusa_0xf) April 8, 2022
Exploiting XSS with Javascript/JPEG polyglot.#xss#infosec#javascripthttps://t.co/0ll1IcSFNs
Watch my New Video ๐ฅ
— Medusa (@medusa_0xf) August 22, 2025
โBug Bounty Guide: XXE Injection Explained with Real Reportsโ on @YouTubehttps://t.co/8z5to5XyqBpic.twitter.com/09WKP9GyIP
10k the heck ๐ญ๐ pic.twitter.com/vXNpI492Tp
— Medusa (@medusa_0xf) June 18, 2025