How I found my first ever valid bug on Hackerone

Assalamualaikum(Peace be upon you) And Ramadan Mubarak to everyone!!! Hope you’re doing great. This is my very first writeup. Today I’m gonna share how I found my first valid bug and how it got triaged.

Remember, I’m not gonna give you deep technical tips. Instead, I’d like to give you some tips on how you can get to the level where you can start finding valid bugs. I know this may sound hella dumb to you who are now desperate to find first issue. Even I felt the same when I was at your level, buddy. Everybody feels and felt the same as you. Some of you may be also feeling that in 2024 the targets got so much secured than before which is the reason you’re not finding anything. But it’s not true! It’s true that back in 2016–2017 the bugs were comparatively easy to discover than now. But that time hunters were struggling as well. This is natural. Because they might have discovered those issues lately in trend that time. But you are now starting to hunt already by knowing and practicing them. But now those old bugs are not found easily. As the time goes, the technologies update, the tech stacks change and this will be the same all the time. You just need to learn continuously and cope up with the trend. That’s it. I know “bug bounty is hard, but not that hard that you can’t do anything in it”.

Don’t jump on hunting without clearing basic concepts. Learn consistently. But don’t fall in the maze of learning. Learn and apply your knowledge on real world targets when you’re confident. Read writeups, take notes when you read something new, take notes about the target when you hunt. Follow other expert hunters. Study about their methodologies. Gradually build your own methodology. You can go home from your school by one way. But there could be other ways as well. Maybe you have discovered something new if you came home using other ways. So you can follow other’s methodology but take different approaches. Like your methodology has a point to enumerate subdomains. Here you can try different approaches to enumerate subdomains that other hunters have missed. Maybe you can find some interesting stuff. Keep going, keep learning, learn consistently.

It’s better to be consistently good than occasionally great!

So I used to watch disclosed bug bounty PoC on YouTube to know what are the bugs being reported by hunters nowadays. It helped me to learn about some new attack vectors and testing techniques. One day I saw a hunter posted a PoC of a bug called “Unauthenticated cache purging”. As a beginner who has never heard of it, I found this newly learned bug very unique and thought this is one of the secret bugs that others don’t share. So I started to test it everywhere without knowing if the issue is a valid one these days or not.

One day I started to hunt on Fastly. I didn’t know how to start hunting on a target properly or what should I do in the first engagements or how to recon. As I followed Remonsec from the start I learned a few recon techniques for wildcard targets. So I started to enumerate subdomains. And then visiting one by one manually 😆 However after some time I decided to hunt for logical bugs in the main app. So when I opened the main app and opened the wappalyzer extension in my browser I saw it’s using Varnish for their http cache management. Then I remembered that I can test for cache purging here. So I Open the terminal and typed curl -X PURGE https://fanout.io/

and the response was { "status": "ok", "id": "1237-1678993092-222436" }

I was like WOW!

I got surprised that I fianally found my newly discovered bug. But after reporting I came to know that this issue is not that impactful and was closed as informative. Being disappointed, I requested to disclose the report. After the internal Fastly staff analyzed the report, he chose to triage and fix the issue without changing the severity. And surprisingly rewarded me with their swag. I felt very motivated after that and started to study more and more. And this year I’ve got my first bounty as well.

In the way, remonsec has pushed me by making me realized how much I need to go ahead. Sometime he insulted me for my mistakes like a big bro XD. But it really worked and I’m very thankful to him for this. After few weeks of that I started to report some good bugs in VDPs though most of them were duplicate. Yes I’ve got N/As as well. Everybody gets. Success comes after giving you the taste of failures. As long as you’re dedicated to your dream and work, you must trust the process kinda blindly with the correct path. For that you can always get help from the experts. They’re always there. And once you’re there, don’t forget to give back to the community. I’ll try to post some newbie(coz i’m noob 😜) tips which actually helped me to find my first bug and also my first bounty. But let’s post that in another writeup as this one got unnecessarily long haha. Till then have a great time and happy hunting, Allah hafiz!