From Rookie to Bounty: How a $400 IDOR Flaw on HackerOne Cracked Open My Cybersecurity Journey

From Rookie to Bounty: How a $400 IDOR Flaw on HackerOne Cracked Open My Cybersecurity Journey

Here’s a unified, story-driven deep dive weaving tactics, tools, and mindset into a single narrative:

After months of grinding through PortSwigger’s IDOR labs and dissecting HackerOne’s public reports, I honed a strategy: target startups with narrow scopes (like `api.fintechx.com/v2/*`) and “public” visibility—signs they were hungry for submissions but overlooked. Armed with Burp Suite’s **Intruder**, I brute-forced numeric parameters on their user dashboard (`/profile?id=1001` → `1002`, `1003`...) while monitoring Chrome DevTools’ Network tab for hidden endpoints like `/api/fetch_transactions`, where I spotted a goldmine—a request lacking authorization headers. Tampering with its JSON payload (`{"userId":512}` → `513`), I dumped another user’s financial data, my heart pounding as I sanitized screenshots with Greenshot and drafted a report mimicking HackerOne’s top hunters: bulletproof steps to reproduce, annotated visuals, and a curl command proving exploitability (`curl -H "Authorization: Bearer [token]" https://api.fintechx.com/v2/fetch_transactions -d '{"userId":513}'`). The triager confirmed the flaw stemmed from a rushed AWS migration that skipped role-based checks, awarding $400 and a shoutout for clarity. Key lessons? **Tools matter** (Burp’s Comparer spotted subtle differences in JWT responses; OWASP ZAP flagged lax CORS headers)…