My First Bug Bounty: Lessons Learned and Money Earned

Hey everyone! Im excited to share my first bug bounty experience with you. It all started when I was bored and began a security test on a buy now/pay later application from a prominent company. When testing this company, I stumbled upon an open redirect

“An open redirect vulnerability occurs when an application allows a user to control a redirect or forward to another URL. If the app does not validate untrusted user input, an attacker could supply a URL that redirects an unsuspecting victim from a legitimate domain to an attacker’s phishing site.”

Open Redirects may seem harmless, but they can be dangerous and can really harm the end users.

How it happened: There was redirect parameter in the URL and it caught my attention. I decided to put it to the test. I replaced the redirect url with Twitter.com and BAM! A open redirect. I was so happy i actually couldnt believe it. “No way this company is vulnerable to a open redirect” I thought to myself. But to my surprise, I had successfully got the application to send me to my desired endpoint.

Realizing the impact of this vulnerability, I understood how an attacker could exploit it. By manipulating the redirect parameter, they could craft convincing phishing attacks, tricking users into visiting malicious websites while thinking they were accessing a trusted source.

With my findings in hand, I promptly created a detailed report and submitted it to the company on Hackerone. The wait for their response felt like an eternity, but eventually, they triaged the report. Their validation of the vulnerability was a validation of my skills and instincts.

In the end, I received a $150 bounty for my contribution. More importantly, I gained invaluable knowledge and experience, understanding the importance of trusting my instincts and thoroughly testing every aspect of a system.

This bug bounty journey has taught me that even seemingly insignificant vulnerabilities can have significant consequences. It’s a reminder to stay curious, explore, and report responsibly. Trust your instincts, test everything, and who knows, you might uncover something truly impactful. Stay tuned for more bug bounty adventures.