# Intro

Hello everyone, it’s been over a month I have shared something on my blog. I was busy with academic stuff and CTFs. But finally, I have decided to take some time to write a post on my first bug bounty. The bug was small and easy to exploit, however, let this be a motivation to all who haven’t yet found their first bug.

I found the bug on a jewelry website. They did not have any vulnerability disclosure programs, but I was lucky enough to get a positive response from them. It was on a fine evening, after all the “hustle and bustle” of online classes ended, I was scrolling through my Instagram feed and I noticed an advertisement for a jewelry website.

Buy gold online? Huh?

Okay. Enough of the story, let’s get started.

# The Bug

I don’t know why, but I started testing it. I started with checking for low-hanging bugs. I tested for XSS and some configuration issues, but it felt safe. The website was running on the latest version of PHP. I checked if the website was using any vulnerable jQuery libraries that could trigger an XSS, but nothing was found. I continued to look through the HTML source code of the website.

I was frustrated and decided to quit. But that is when something caught my attention.

1
2
3

$('.downloadImage').on('click',function(){
    window.location.href="https://www.<REDACTED>.net/download.php?image="+encodeURIComponent($image);
});

Already noticed something suspicious?

Okay. Let me explain.

The developer was trying to implement some image download functionality, probably.

I have been playing CTFs for a long time now. I knew what I was supposed to do next. As all CTFers would do, I changed the image parameter to /etc/passwd. However, that triggered their firewall and the request was blocked. I changed that to index.php. My heart stuck for a moment.

I saw index.php has already started downloading.

With this, I was able to download the files from the webserver. I found that I was able to leak their e-mail account credentials, API keys, database credentials, and some other sensitive information.

Now I had a valid bug. But then, I came to know they did not have any vulnerability disclosure programs. I tried mailing to the e-mail addresses mentioned on their website, but I received no response.

Then I used my OSINT skills (jk, Googling) to find out the e-mail address of their IT Administrator and mailed them about the bug.

# Profit

Their response was quick, and I was contacted by a company which was in charge of managing it. I disclosed the bug and the issue was patched. I was awarded an amount of INR 15,000 (about 200 USD) for the bug. Even though they did not have any VDP programs, they decided to recognize my effort with it.

I learned a lot. Proper communication through the proper channel was the major reason for success this time. The entire process from detection of the bug to payment and fixing took just 9 working days. The responsibility that the company showed surely deserves appreciation.

That’s all for now. I hope this will inspire my readers to never give up. Keep on trying until you win.

Good luck.

Thanks for reading.