How I Found a €100 Bug at DCU: From “Not Applicable” to Cashing In!

🔍 Once upon a time in the world of bug hunting… I received an invite from Dublin City University to test their digital realms. Armed with my trusty automation tools, Nuclei and Afrog, I went full throttle but hit a wall. 🤔 Not even a breadcrumb of vulnerability showed up!

With automation failing me, I went old school — manual mode activated. I zoomed in on example.com, a neat IDE-like platform for DCU students. Cue hacker instincts: time to dig deep.

👣 Crawling the site, I sniffed out some interesting directories:

This endpoint was wide open for anyone to add content and even host web pages. Imagine the possibilities! I prepped a suave HTML POC that screamed, “Hey, I’m pro-level, look at this hack!” and reported it via YesWeHack.

💬 Status: Under Review.
⏳ Me: Refresh. Refresh. Refresh. (Oh, we all know the feeling!)

Next day, DCU’s security team responds on the very same endpoint. 📝 They said it was intended for public use — mind blown. Cue deflation. 😩 I almost conceded, accepting it as an “expected vulnerability.”

Days later, inspiration struck after seeing a video of HedgeDoc on YouTube (the tech powering this platform). The video showcased signup features and a page host button, which the DCU version lacked. It was clear: Only authenticated users should use this, and they hadn’t said a peep about it on the site.

🚨 Time for a rebuttal! I pushed back for a re-evaluation, argued my case, and… radio silence.

⏳ Two weeks passed until… 📨 “Report accepted. Issue fixed. €100 reward.” 💥 Bingo! They restricted the endpoint to 403 Forbidden.

Oh, and stay tuned for my next story about finding a Host Header Injection (out-of-scope by policy but under review now). RTFS moments, am I right? 😅