.png)
1 month ago
37 BOOK THIS SPACE FOR AD
ARTICLE AD### How I Earned $250 for Reporting a Bug in CodaPayments
As a passionate bug bounty hunter, I’ve always loved the thrill of hunting for vulnerabilities and helping companies secure their platforms. This time, I was working on CodaPayments and managed to find a client-side bypass that earned me a $250 bounty. Here’s how I found and reported the bug.
#### Starting the Hunt: Testing Signup Bugs
Like most bug bounties, my journey started with testing the usual suspects: signup functionality. I tried setting my username to common vulnerabilities like SQL injection (`sqli`), cross-site scripting (`XSS`), and server-side template injection (`SSTI`). Unfortunately, nothing worked.
#### Moving to IDOR and API Vulnerabilities
After failing to find anything in the signup process, I shifted my focus to other types of bugs. I tested for insecure direct object references (IDOR) and information disclosure vulnerabilities. I also closely inspected the API requests for any potential issues. Again, no luck.
#### The Breakthrough: Business Name Change Bypass
That’s when I came across an interesting functionality related to setting your business name. In CodaPayments, once you set your business name, you are not allowed to change it again — at least, that’s what the platform’s user interface indicated.
Bengali (Bangladesh) · 
English (United States) ·