The harmless profile endpoint that taught me how real bugs work Early in my bug bounty journey, I found a bug that looked simple from the outside, but it changed the way I think about web security. At that time, I didn’t know how to write strong reports. I knew how to test manually. I knew how to follow weird backend behavior. But I didn’t fully understand that finding a bug is only half of the work. The other half is proving impact clearly. The bug started from a normal profile update endpoint. Nothing fancy. No admin panel. No scanner. No magic. Just this kind of request: Test target https://example.com PATCH /api/users/me HTTP / 2 Host : example.com Content-Type : application/json Cookie : session=<redacted> { "time_zone" : "Africa/Casablanca" } Enter fullscreen mode Exit fullscreen mode At first, this endpoint looked harmless. It was supposed to update normal user-controlled profile fields like timezone, language, or basic settings.…