A $150 Bug in My Methodology!

I wasn’t looking for anything special — I was just testing a few websites for vulnerabilities, as I usually do. I had my laptop open, a cup of coffee in hand, and Burp Suite running in the background.

At first, everything seemed normal. But then, something strange happened…

I was testing a simple input form on a website that didn’t seem particularly interesting. I entered some basic text, then decided to try injecting a small JavaScript payload to see if the filter would block it:

<script>alert("XSS")</script>

I hit submit, and… nothing. Alright, the website must have some protection, I thought.

But a minute later, when I revisited the page, a familiar alert box popped up on my screen. My heart started racing — this wasn’t just a test anymore. I had found something real.

I dug deeper. I tried more complex payloads, manipulating the request, and bypassing any filters in place. Soon, I discovered that this wasn’t just a simple Reflected XSS — it was a Stored XSS!

This meant that my script was saved on the server and would execute every time another user visited the page. In other words, I could inject malicious JavaScript that would affect every visitor!

For example, with a slightly modified payload, I could steal session cookies and even take control of user accounts.

At this point, I knew I had found something serious.

Reporting the Bug and Getting Paid

I didn’t want to exploit this vulnerability illegally, so I immediately submitted a responsible disclosure report to the website’s Bug Bounty Program with all the details:

A screenshot of the alert box from my first test.

A more advanced payload that could steal session cookies.

An explanation of why the website’s security filter failed.

Two days passed with no response. Then, I got an email notification:
“Your report has been accepted. You will receive your reward soon!”

A few hours later, another message popped up:
✅ $150 added to your account!

Never underestimate any input field — Even simple text fields can be vulnerable.
2. Use tools like Burp Suite or OWASP ZAP to analyze requests and responses.
3. Try different payloads — Some security filters block basic scripts but miss more advanced ones.
4. Always report responsibly — A legal $150 is much better than the risks of illegal activity.

A $150 reward might not seem like much, but the real value was in the lesson I learned. In cybersecurity, small mistakes can lead to big opportunities.

Today, I found a $150 bug — but who knows? Maybe next time, it’ll be worth thousands!