Insha Jabeen
I'm the face behind Medusa β a cybersecurity media brand focused on web and API security. I hunt vulnerabilities on HackerOne, turn real findings into content that 40,000+ subscribers actually learn from, and work with companies on sponsored content, product demos, and technical writing. Here's my blogging site: medusa0xf.com
About me
I'm Insha, the Security Researcher and creator behind Medusa β a cybersecurity media brand built around web application, API and AI security.
On the research side, I have hands-on experience conducting internal penetration tests, API security assessments, and technical report writing through my internship at Traceable with Harness. I worked with tools like Traceable Sonar to analyze API traffic, uncover vulnerabilities, and deliver detailed remediation steps. I also actively hunt on HackerOne and share my findings publicly so others can learn from them.
On the content side, I spent over 1.5 years as a Content Writer at Akto, producing technical guides for engineers, pentesters, and developers on API security and web vulnerabilities. Through Medusa, I've grown that further, creating YouTube videos, detailed write-ups, and hosting the Snake Bytes podcast, where I break down real-world attacks and security concepts for a community of 40,000+ subscribers and growing.
Projects
Project
A detailed write-up of how I uncovered an Insecure Direct Object Reference (IDOR) vulnerability in a delivery app that earned a $3000 bounty. This article walks through my approach, the tools I used, and the techniques applied, making it a practical learning resource for both hackers and developers.
How I Found a $3000 IDOR Vulnerability in a Delivery App
Introduction: Recently, I was hunting on a target that I can't disclose because of its responsible disclosure program, even though it's public...
Project
A practical video guide on misconfigured AWS S3 buckets β one of the most common cloud security issues and a prime target for bug bounty hunters. In this video, I explain how S3 buckets work, the mistakes developers often make, and how attackers exploit them, with real-world examples and testing techniques you can apply.
Project
A complete video guide to OAuth 2.0 flows, explained with real examples from Okta and OAuth Playground. This walkthrough covers how each flow works, common security pitfalls, and practical testing tips, perfect for bug bounty hunters, pentesters, and developers looking to strengthen their understanding of OAuth.
Project
An episode of my Snake Bytes podcast diving into Dependency Confusion β the supply chain attack that let a researcher slip malicious packages into companies like Microsoft, Apple, and PayPal. I unpack how the hack worked, why it was so impactful, and what both hackers and developers can learn from it.
You can listen to the full episode on Spotify
Tweets
Hey hackersπ
β Medusa (@medusa_0xf) August 24, 2025
How do you Pentest/Bughunt on Salesforce applications, also any good resources for it?
The series is finally completed!
β Medusa (@medusa_0xf) June 25, 2025
All PortSwigger Web Cache Deception Labs Explained! π π₯ https://t.co/pwN6h6qyhq pic.twitter.com/mzfKJAshOG
Can you spot the API Vulnerability? π#Hacking #API pic.twitter.com/ZUOLxhlFjy
β Medusa (@medusa_0xf) October 31, 2023
New Blog!
β Medusa (@medusa_0xf) April 8, 2022
Exploiting XSS with Javascript/JPEG polyglot.#xss #infosec #javascript https://t.co/0ll1IcSFNs
Watch my New Video π₯
β Medusa (@medusa_0xf) August 22, 2025
βBug Bounty Guide: XXE Injection Explained with Real Reportsβ on @YouTube https://t.co/8z5to5XyqB pic.twitter.com/09WKP9GyIP
10k the heck ππ pic.twitter.com/vXNpI492Tp
β Medusa (@medusa_0xf) June 18, 2025