#1 My Bug Bounty Journey (First Bounty with $100)
This is the writeup for my first bug bounty so if I made some mistakes skip that!. This blog will not very technical as it wasn’t very hard to discover and exploit. This post is just to prove to people who want to get in bugbounty, you can get into bugbounty and actually succeed :)
If you are looking for tips, tricks, insights or helpful information related to the wonderful world of bug-bounty-hunting, you come to the right place!
My name is “Prajwal”, and i started bounty hunting from last 5 months (From Jan 2021) with “Raman Mohurle” (CCNA + RHCSA), he is also a bug hunter.
A vulnerability I will talk about is not something new, it is a known behavior for web developers. But not that many people considered it from security perspective and I never seen it being mentioned on any security paper, that’s why I decided to shed light on it.
I Founded “Open Redirect > GET-Based” vulnerability on “xyz.com” (it is US based compony which offers banking, investing, and insurance due to there terms and policy! i can’t share any data with you).
What Open Redirect is :-
So, we already should know what Open redirect is. For someone who doesn’t — it is when remote attacker can set arbitrary value as a redirect destination. For example, considered following “legit” redirect chain:
Which in the end leads to app.example.com. But what if someone malforms this url into following:
Notice that we changed end destination from app.example.com to evil.com. If web app is allowing that URL change and in the end we will get redirected to https://evil.com, then it is an open redirect vulnerability. This behaviour may be used to perform phishing attacks, access tokens stealing from authentication flows, or be combined with other vulnerabilities such as SSRF. A lot of things can be potentially done.
I found this vulnerability and reported it. After some day later i got a mail from Bugcrowd “Congratulations! XYZ has awarded $100 for your submission Open Redirect on https://xyz.com/”.
Currently I’m a little more into CTFs for further training, but I’ll definitely start in a couple days.
That’s all for this blog. Hope you liked it.