Another 4 Digit Bounty Story on Hackerone

Hello, its me e0x1337, born and raised in Malaysia and have been exploring cyber security world in few years. Started as CTF player, pentester, SOC and now I work full time in Cyber Security doing vulnerability management, part time at night as bug bounty hunter.

Its been few month since I got my highest bounty since I joined on 2019. And in this writeup, I will explain how I got it. But this writeup is not entirely about technical side, but more on mindset and way of thinking.

Before I start, one thing to remind before you start doing on anything. Set your mindset right, and remind yourself why you started this. As for me, I really want to earn more money. Yes, money is my motivation. Most threat actor are the same. Even as human, there are two things that would make you go insane — money and punishment.

Another thing to mention is the way of thinking, this could be anything — a relationship, working on a project, even go on a war. I would like one quote from famous ancient chinese philosopher, Sun Tzu — “If you know the enemy and know yourself, you need not fear the result of a hundred battles”. The more you know your enemy, the easier it gets to win the battle. Recon is the key, but not entirely because enumeration is where the success are.

Nahamsec in one of his video mentioned he stopped doing recon and start doing the real hacking specifically the enumeration part, like know exactly what you target is doing, how they behave and what could go wrong. This is important because even everyone say data lake is the gold mine, but what exactly you do with those data is what differs you from the others.

Hacking is like an art and the hacker is the artist. I say this because you have to think outside the box and be creative. If your approach are the same as other hunter, then your result will follow the same as well. Change it, and you will see the change. As what in the Quran, Surah Ar-Rad (Chapter 13) — The verse teaches us that if we want our situation to improve, we need to make positive changes in ourselves.

What I want to say here is — learn new things that others dont, hunt on target that others dont, test those function that others dont. I would sometime still think on new ways to exploit in my daily routine, in shower, while exercise, while walking and even before sleep.

Until one day, God give me the idea on Race Condition vulnerability due to the token that being implement on my target. I once read about this but dont really care until portswigger highlight this on their learning platform. Why not we try on our target using this approach, right. And yes, the target is vulnerable where server fail to validate token in very short timeframe.

This race condition vulnerability is by far the most underrated vulnerability that most hunter dont look at. They only test for rate-limit but not on race condition. Imagine how many bounty you missed, while keep on busy grinding to find the best XSS cloudflare bypass. I am saying this because I was no different back then.

Long story short, my finding marked as medium severity until one day another hacker contacted me saying he reported the same but got duplicate because of mine. And saying he could increase the severity to high and share the POC. But it was too late, the progam already fix it before we can even try. So, dont report it straight away but find your way to increase the severity. Race condition always work like a charm, trust me.

To other hunter out there, keep on a lookout. One fine day, you would get the reward for what you have been work on. Think differently — as what the HackerOne saying goes like #TogetherWeHitHarder

Adios~