How I Found a Vulnerability in Paytm and Received a Bounty

Hello everyone, this is Umair Farooqui with a new experience about how I found a vital security issue on the Paytm platform and, in turn, became a bounty hunter with earnings of 13,000 INR and an appreciation letter from the company — step by step: My Adventure.

Starting from the enumeration phase of the project, I did in-scope domain enumeration for Paytm using Subfinder and Assetfinder. Wherein I came across:

https://ondc-seller-reg.paytm.com/login

The API responses kept coming in JSON format. Now, placing unwanted special characters and some byte codes in the ref_url parameter results in changing the response of the API; it is now reflected in plain text rather than in JSON.

Noticing this potential weak spot, I went to the page with the payloads specified on the PortSwigger XSS Cheat Sheet and copied all of them. Then, I used Burp Suite’s Intruder function and pasted them in, setting the scope for where to inject the payloads.

When I launched the attack, I received some responses in HTML format. Initially, after trying many payloads, I was not able to bypass the firewall.

This is the Burl request I eventually decided on using:

When I saw that it was quite an easy vulnerability to find and didn’t take much time, I realized that the duplicate. Not wanting to waste more time, I reported the vulnerability to Paytm. Shortly, I got an email confirmation from the team acknowledging the report. They said that as there are so many reports coming up, any duplications and out-of-scope reports will be closed automatically without intimation.

Proof of Concept (POC):

https://poc.umairfarooqui.com/paytm.html

Note: On a visit to this POC URL, it raises a request to Paytm with the payload and pops up an HTML-injected message. But this was patched, so now it will show no message.

YouTube Video: POC Video

I waited for the usual seven-day waiting period but did not get a response from Paytm. Thinking that the issue was being ignored or had been marked as a duplicate, I moved on.

A week or so later, I was pleasantly surprised to receive an email from Paytm. They finally accepted that the issue that I reported was genuine, and that they were working on a fix.

Feeling confident by this response, I ventured out further for testing. I threw several WAF bypass XSS payloads to sneak through this firewall. Eventually, one of these worked, and I could trigger the XSS.

I updated that ticket with the new details of the XSS vulnerability. After going through those details, Paytm rewarded me an amount of 13,000 INR and sent me an appreciation letter for responsible disclosure.

Here is the appreciation certificate that I received:

Overall, this has been one of the most significant learning experiences throughout my journey as a security researcher; it underlined the importance of good testing and responsible disclosure. I thank Paytm for their professional response and acknowledgment. This journey has been enriching, both intellectually and financially. Thank you for reading. Comments or questions: feel free to ask. The discovery and contribution of making this digital world a more secure place!