Story of My first Bug Bounty
Table of Contents
#
Intro
Hello everyone, it’s been over a month I have shared something on my blog. I was busy with academic stuff and CTFs. But finally, I have decided to take some time to write a post on my first bug bounty. The bug was small and easy to exploit, however, let this be a motivation to all who haven’t yet found their first bug.
I found the bug on a jewelry website. They did not have any vulnerability disclosure programs, but I was lucky enough to get a positive response from them. It was on a fine evening, after all the “hustle and bustle” of online classes ended, I was scrolling through my Instagram feed and I noticed an advertisement for a jewelry website.
Buy gold online? Huh?
Okay. Enough of the story, let’s get started.
#
The Bug
I don’t know why, but I started testing it. I started with checking for low-hanging bugs. I tested for XSS and some configuration issues, but it felt safe. The website was running on the latest version of PHP. I checked if the website was using any vulnerable jQuery libraries that could trigger an XSS, but nothing was found. I continued to look through the HTML source code of the website.
I was frustrated and decided to quit. But that is when something caught my attention.
|
|
Already noticed something suspicious?
Okay. Let me explain.
The developer was trying to implement some image download functionality, probably.
I have been playing CTFs for a long time now. I knew what I was supposed to do next. As all CTFers would do, I changed the image parameter to /etc/passwd
. However, that triggered their firewall and the request was blocked. I changed that to index.php
. My heart stuck for a moment.
I saw index.php
has already started downloading.
With this, I was able to download the files from the webserver. I found that I was able to leak their e-mail account credentials, API keys, database credentials, and some other sensitive information.
Now I had a valid bug. But then, I came to know they did not have any vulnerability disclosure programs. I tried mailing to the e-mail addresses mentioned on their website, but I received no response.
Then I used my OSINT skills (jk, Googling) to find out the e-mail address of their IT Administrator and mailed them about the bug.
#
Profit
Their response was quick, and I was contacted by a company which was in charge of managing it. I disclosed the bug and the issue was patched. I was awarded an amount of INR 15,000 (about 200 USD) for the bug. Even though they did not have any VDP programs, they decided to recognize my effort with it.
I learned a lot. Proper communication through the proper channel was the major reason for success this time. The entire process from detection of the bug to payment and fixing took just 9 working days. The responsibility that the company showed surely deserves appreciation.
That’s all for now. I hope this will inspire my readers to never give up. Keep on trying until you win.
Good luck.
Thanks for reading.