BOOK THIS SPACE FOR AD
ARTICLE ADHello hackers! This is Zack0x01, back to share one of the most interesting findings in my bug bounty journey. After a hiatus for personal reasons, I resumed hunting in September on a public Bug Bounty Program (BBP) on the HackerOne platform. In this blog, I’ll take you through my process, the tools I used, and how I earned $4,000 by uncovering critical vulnerabilities. Let’s dive in!
Subdomain enumeration is not always my go-to strategy; I typically start with the main application. However, for this target, I used tools like Subfinder, Findomain, and Assetfinder to gather a comprehensive list of subdomains.
To remove duplicates, I relied on the famous anew tool by TomNomNom, followed by httpx from Project Discovery to identify active subdomains.
Once you’ve listed all subdomains, tools like Eyewitness
can streamline your process by generating screenshots of all domains and organizing them into a single HTML page. This method saved me time and effort while identifying an interesting login and registration page on test-domain-h1.app.com.
Understanding the business logic of an application is critical for successful bug hunting. For example:
E-commerce Apps: Look for vulnerabilities in payment, pricing, and checkout processes.Ticket Booking Platforms: Analyze functions like ticket creation, sharing, and reservation management.For this target — a ticket booking app — I studied its core functionalities, keeping an eye out for weak spots that could disrupt business or compromise user data.
Once I understood the app’s workflow, I began testing the ticket creation and registration link features. Here’s what I did:
Injected payloads like '><svg/onload=confirm(1)> in fields such as name, email, and description during ticket creation.Generated and tested the public registration links to verify whether my payloads triggered stored XSS (cross-site scripting).Multiple XSS vulnerabilities surfaced but were duplicates of previously reported issues.While exploring the admin functionalities, I stumbled upon a button labeled “EXPORT YOUR CUSTOMERS”, which allowed exporting customer data as PDF or Excel files.
By intercepting the export request in Burp Suite, I found the following POST request:
POST /FileGenerator/user/ZAZZ-SDFSSDF-ZERZE-QSDFQSFHost: test-domain-h1.app.com
Cookie: .... {
"UserID": "ZAZZ-SDFSSDF-ZERZE-QSDFQSF"
}The response returned a fileID that was later used in a GET request to fetch customer data.By incrementing the fileID value, I gained access to other customers’ data, including:Full nameEmail addressZip codePhone numberAddress
This vulnerability exposed sensitive information worth thousands of dollars on the black market!
The application, valued in the billions, had a critical IDOR (Insecure Direct Object Reference) vulnerability. I promptly reported the issue and received a $2,000 reward.
Encouraged by the discovery, I dug deeper into the app’s VIP features. I identified a similar export functionality tied to VIP customer data. By repeating the steps above, I exploited the same vulnerability in a different endpoint.
I was rewarded another $2,000 for this additional finding, bringing the total to $4,000.
Thank you for joining me on this journey. If you enjoyed this write-up, leave a comment or share your own hunting stories. See you in the next one!