$500 as My First Bounty

Hello Hackers!

Many of us always try to find those Bugs which is so common like XSS, IDOR, CSRF, etc. I want to share something, which is unique and simple.

Introduction:

Long Password Attack —

Application-Level Denial-of-Service (DoS) — High Impact and/or Medium Difficulty — P3 (According to Bugcrowd VRT)

Description:

Some Websites allows to set Password with no restriction ie; An user can set Password with more and more number of characters, strings. Here the developer sets a loop hole. An attacker can exploit this loop hole to take down the whole application. The Application Becomes unresponsive or unavailable, for certain time period.

How I was able to find that Bug?

The Program didn’t have a wide range of scope, there were only 2–3 domains which were allowed to tested, There were already more than 70 researchers were rewarded, I Read the scope section of that program it was something like this

After reading this, I was like -let search for this type of vulnerability. Because after reading this most of the researcher would not search for this type of bugs.

I was manually testing the functionality, there I found that no restriction were there for setting up the password ….. I exploited it the whole application got slowed down … I reported this bug…The triager was like.

I gave him the Proof of concept, eventhough he marked my report as not applicable .. I again tried, to explain him, but there was no reply from them..

After almost 10 days morning 5.00 AM, a mail notification came.. When I saw that, I was like

I did it … I did it …. I did it

First bounty stories are always special..

Thanks for reading my write-up! Throw a heart to this story, If you liked please share it to your hacker friends .. Will be back with another write-up shortly. Untill that Sayonara 🥰.