403 on /get_all_users
404 on /get_all_userz
Then Rhynorater fuzzed until a double-encoded “S” slipped past the NGINX filter.

200 on /get_all_user%2573

Result: 4.5M users' PII dumped.
Bounty: $15K–$20K
 
 
Back to Top