How I got my first bug worth $100?

Hello Everyone,

This is Snifyak, a security researcher. I am hunting for bugs from last 1 and half years. This is my first blog where I am going to tell you about my first bug report which help me to get my first bounty.

So, That time i got some private invitations from Hackerone by playing and solving their CTFs.

That's why i am not able to mention the program name. Lets assume it redacted.com. Program has an IN SCOPE staging environment with admin access which is hackerone.redacted.com.

While researching i saw a Redacted Base URL controlled by the admins in a redactedBaseUrl parameter. After a while, i noticed that redactedBaseUrl is not properly sanitized and reflected in the response.

And then i crafted a payload for the POC which simply pop up an alert function.

Payload : ';alert(1);a='

Impact

Let's understand about the impact.

hackerone.redacted.com have multiple roles of users like admins,sub-admins, managers, users and custom generated roles by admins.

So, The attacker is able to steal the cookies of any admins or the users that have the feature to change the baseURL.

The triaged team marked the status to medium and after some time i was awarded with $100.

That's how i earned my first ever bounty. Today i think that if i had some more knowledge that time then i escalated this issue to HIGH severity by just providing Account takeover POC to them and there were a lot of custom roles then it was easy to convince them.

I hope you like this. This is my first blog. So, If you wish to give me any feedback related to this web app or want to contact me then reach out to me by filling this Form or by sending me an email ( snifyak+blog@wearehackerone.com ).

Have a nice day.

Regards

@snifyak