'%3e%3cpath%20d='M12.4997%201.33325C10.39%201.33325%208.32772%201.95884%206.5736%203.13091C4.81947%204.30298%203.4523%205.96888%202.64496%207.91796C1.83763%209.86704%201.62639%2012.0118%202.03797%2014.0809C2.44955%2016.15%203.46545%2018.0506%204.95721%2019.5424C6.44897%2021.0342%208.34959%2022.0501%2010.4187%2022.4616C12.4878%2022.8732%2014.6326%2022.662%2016.5816%2021.8546C18.5307%2021.0473%2020.1966%2019.6801%2021.3687%2017.926C22.5408%2016.1719%2023.1663%2014.1096%2023.1663%2011.9999C23.1663%209.17094%2022.0425%206.45783%2020.0422%204.45745C18.0418%202.45706%2015.3287%201.33325%2012.4997%201.33325ZM12.4997%2021.3333C10.6537%2021.3333%208.84922%2020.7859%207.31436%2019.7603C5.7795%2018.7347%204.58322%2017.2771%203.8768%2015.5716C3.17039%2013.8662%202.98555%2011.9896%203.34568%2010.1791C3.70581%208.36859%204.59473%206.70554%205.90002%205.40025C7.20531%204.09496%208.86835%203.20605%2010.6788%202.84592C12.4893%202.48579%2014.3659%202.67063%2016.0714%203.37704C17.7768%204.08346%2019.2345%205.27974%2020.2601%206.8146C21.2856%208.34945%2021.833%2010.154%2021.833%2011.9999C21.833%2014.4753%2020.8497%2016.8492%2019.0993%2018.5996C17.349%2020.3499%2014.975%2021.3333%2012.4997%2021.3333Z'%20fill='white'/%3e%3cpath%20d='M19.167%208.06667C19.042%207.9425%2018.8731%207.8728%2018.697%207.8728C18.5208%207.8728%2018.3519%207.9425%2018.227%208.06667L10.8269%2015.4333L6.82695%2011.4333C6.70495%2011.3016%206.53562%2011.2237%206.35621%2011.2169C6.1768%2011.21%206.00201%2011.2747%205.87028%2011.3967C5.73856%2011.5187%205.66069%2011.688%205.65382%2011.8674C5.64694%2012.0468%205.71162%2012.2216%205.83362%2012.3533L10.8269%2017.3333L19.167%209.01333C19.2294%208.95136%2019.279%208.87762%2019.3129%208.79638C19.3467%208.71514%2019.3642%208.62801%2019.3642%208.54C19.3642%208.45199%2019.3467%208.36485%2019.3129%208.28361C19.279%208.20237%2019.2294%208.12864%2019.167%208.06667Z'%20fill='white'/%3e%3c/g%3e%3cdefs%3e%3cclipPath%20id='clip0_2790_31187'%3e%3crect%20width='24'%20height='24'%20fill='white'%20transform='translate(0.5)'/%3e%3c/clipPath%3e%3c/defs%3e%3c/svg%3e)
This story isn’t about having a perfect setup.
It’s about an ethical hacker who started with nothing but an Android phone and still pulled secrets out of live code — reading JavaScript manually, collecting hidden endpoints and access tokens. Eventually, he hit a critical vulnerability worth thousands of dollars.
And now that same “phone-only beginner” is in the Top 30 on HackenProof with 49 paid reports. Meet Zakaria Eddafri (0x0w1Pr0xYDEADcAFe – formerly known as MrOwl)
If you’re thinking “I’m not ready,” this article is about why you actually are.
The Origin Story: The Road to Hacking
Zakaria was never built for the traditional path. School didn’t capture his interest, and after leaving formal education, he found himself working as an automobile mechanic. For four years, he developed intermediate-level experience in that field — but something was always missing. He felt lost, unsure of who he was or where he was heading.
Everything changed when he met Ayoub, a friend of his brother’s who soon became his closest friend and mentor. Ayoub was deeply involved in technology, and watching his journey ignited something in Zakaria. For the first time, he saw a new direction — cybersecurity and tech. The only problem? He had no idea where to start.
When Persistence Meets Ingenuity
Zakaria began his journey in 2018, teaching himself through YouTube courses, GitHub repositories, and technical articles. But as he quickly learned, the hardest part wasn’t understanding — it was staying persistent.
For years, he hunted across different platforms, only to run into a wall of duplicates. The frustration was constant. He made mistakes, wasted time, and often felt stuck. Then, a major setback hit — his personal computer broke. Without the means to replace it, Zakaria was left with just his Android phone. Most people would have given up. He almost did.
Instead, he decided to adapt. Zakaria began experimenting with what was possible using only his phone. He discovered tools like Termux and VM Android, as well as apps for extracting APK files, and soon realized something others had overlooked — mobile applications were an untapped opportunity. While most hunters focused on desktop applications, Zakaria found his niche in mobile.
The First Reports: Learning by Doing
Zakaria has been an active ethical hacker on HackenProof as well as several private bug bounty programs, including the CoinDepo Web and App DualDefense Audit — the program that would later bring him his biggest breakthrough. Although he created his HackenProof account in October 2019, he didn’t start hunting seriously until January 18, 2024, when he submitted his first bounty report. From that moment he hunted consistently and deliberately; in under two years of active work he amassed 48 paid reports, a result of steady practice and refinement.
Working solely from his Android phone, Zakaria relied on a straightforward but effective methodology. Below — in language as close as possible to his own description — is how he approached the hunt:
My methodology for this breakthrough:
Using only my Android phone, I started with a simple but powerful approach:
- User Journey Mapping: I would use the application like a normal user, exploring every feature and flow to understand the business logic.
- JavaScript Deep Dive: I’d click F12 in the browser, go to the Sources section, and analyze all JavaScript chunks.
- API Discovery: I’d cross-reference the Sources section with the Network section to find hidden API paths.
- Manual Testing: I’d take those API paths and manually test them using my current JWT authorization bearer token.
That mix of user-focused exploration, client-side code inspection, API correlation, and manual verification let him find attack surfaces others might miss — especially when working under the constraint of a mobile-only setup.
A Discovery That Defined His Career
During his testing, Zakaria initially found several IDOR (Insecure Direct Object Reference) issues. But his curiosity pushed him further. When he noticed that one internal panel was briefly accessible before redirecting away, he trusted his instincts and intercepted the process. Before the redirect completed, he analyzed the JavaScript code — and what he uncovered looked like a treasure map: additional subdomains, embedded API keys, and endpoints that should have been protected.
While examining the exposed API structure, Zakaria noticed that one endpoint behaved differently – it didn’t require admin privileges to access. Testing it manually, he realized it revealed something no user should ever see — a full list of private wallet keys for the platform.
At that moment, the scale of the finding hit him. Over 4,000 private keys were accessible through that single endpoint — a vulnerability with the potential to compromise the entire system. What began as another ordinary test had turned into a discovery that defined his career.
The Payoff: Impact and Future Outlook
When Zakaria found a critical IDOR and got it paid, the bounty felt like a victory — until a more powerful realization struck him soon after:
Buoyed by this confidence, Zakaria immediately invested in a proper PC and committed himself to continuous, focused hunting. Since that breakthrough, he has maintained 49 paid reports and continues to uncover critical vulnerabilities across HackenProof and other platforms.
How this changed his career
Zakaria’s breakthrough had a profound impact on both his mindset and his approach to bug hunting:
- He went from feeling uncertain about his abilities to believing he could become a top-tier bug bounty hunter.
- He discovered that reviewing JavaScript source code was one of his most powerful tools for finding hidden vulnerabilities.
- He learned that unconventional approaches, such as focusing on mobile-first hunting, could provide significant competitive advantages.
- Over time, he built a strong reputation within the HackenProof community, where the mentorship, collaboration, and support he received became an important part of his journey.
New goals
Following his breakthrough, Zakaria set his sights on further mastering API security and business logic vulnerabilities. He has already started successfully finding vulnerabilities in smart contracts and is now building his own structured methodology for auditing them. Beyond personal growth, he aims to inspire other hunters from developing countries, showing them that success doesn’t depend on expensive equipment — it comes from creativity, persistence, and a deep understanding of how applications function.
Words of Wisdom: Lessons from Zakaria
The most important wisdom Zakaria learned throughout his journey can be summed up in one guiding principle:
“Hack to Learn, Learn to Hack”
Don’t just memorize vulnerability types or run automated scanners. Take time to deeply understand each target application. Learn why it exists, what business problem it solves, and how users interact with it. Once you truly understand the system, finding vulnerabilities becomes natural. This mindset shifted everything for me.
In addition to this core lesson, he also highlights some common mistakes that beginners often make:
- Chasing OWASP Top 10 blindly — “They inject payloads everywhere without understanding the application’s logic. Focus on understanding first, testing second.”
- Giving up too early — “I spent years finding only duplicates. It was frustrating, but each duplicate taught me something. Don’t expect to find critical bugs on your first hunt. Build your skills progressively.”
- Overlooking the unconventional — “Most hunters check the obvious things. The best bugs hide in places people don’t think to look. Be creative. Test things that ‘shouldn’t’ work.”
- Not reading source code — “JavaScript analysis, API endpoint discovery, and configuration files reveal so much. Spend time in the browser’s DevTools Sources and Network tabs.”
- Thinking you need expensive tools — “I started with just a mobile phone. You don’t need Burp Suite Pro to find critical bugs. Start with what you have and learn to maximize it.”
Zakaria’s Hunting Methodology
With years of hands-on experience behind him, Zakaria has developed a proprietary workflow for approaching new targets — a method he now shares exclusively with the HackenProof community. It blends business reasoning, client-side code analysis and creative testing, and it’s the routine he credits for many of his most significant findings.
Phase 1 — Application understanding
- Run through the entire app like a normal user.
- Explore every feature, link and form.
- Map the business model and the app’s main purpose.
- Document user flows and edge cases.
Phase 2 — JavaScript & API analysis
- Open browser DevTools (F12) and inspect the Sources panel.
- Search for and review all JavaScript chunks.
- Hunt for hidden API endpoints, domains and API keys (use regexes where helpful).
- Cross-reference with the Network panel to see which APIs are actually called.
- Flag API paths that appear to require restrictions but lack proper authorisation checks.
Phase 3 — Reconnaissance & subdomain expansion
- Use tools (e.g., assetfinder, Shodan) to discover related domains and subdomains.
- Scan discovered hosts for control panels, admin interfaces and exposed services.
- Look for misconfigurations and forgotten endpoints.
- Keep the asset list updated — new targets can appear during testing.
Phase 4 — Targeted testing
- Prioritize business-logic flaws that are specific to the application.
- Test endpoints with current authorization tokens to reveal privilege escalation or access issues.
- Try to make “impossible” actions succeed — creative tests often find the best bugs.
- Carefully document every finding, steps to reproduce and the potential impact.
Zakaria’s advice for new bug bounty hunters
To anyone reading this: Your background doesn’t define your future. I came from a field completely unrelated to security. I had limited resources. I made mistakes. I failed repeatedly. But I kept learning, adapting, and pushing forward.
The HackenProof community has been incredible in supporting my growth. The connections I’ve made, the feedback I’ve received, and the opportunities that have opened up have been transformative.
If you’re just starting your bug bounty journey, remember this: Hack to learn, learn to hack. Understand your target deeply. Be persistent. Stay curious. And never underestimate what you can accomplish with limited resources but unlimited determination.
Your first critical finding is closer than you think.
Happy hunting! 🔍
