.png)
6 hours ago
5 BOOK THIS SPACE FOR AD
ARTICLE AD
As a bug bounty hunter, I spend countless hours dissecting features, trying to understand how they work, and looking for potential flaws. One night, while exploring Example.com’s Site Audit tool, I stumbled upon a vulnerability that allowed me to exploit both Server-Side Request Forgery (SSRF) and Local File Inclusion (LFI). The discovery eventually earned me a $900 bounty.
This was not a quick win — it required careful planning, methodical testing, and some trial and error. Unfortunately, I’m unable to share screenshots due to program policies and disclosure agreements. I apologize for the lack of visual references, but I’ll do my best to provide a detailed step-by-step breakdown of how I uncovered these vulnerabilities.
Understanding the Vulnerable Feature
The Site Audit tool is a utility designed to analyze websites for issues related to SEO, performance, and security. Users input a domain, and the tool crawls the website, fetching and analyzing resources. Since this process inherently involves the server making outbound requests, it became my primary target for testing SSRF vulnerabilities.
Step 1: Testing the Input Field
The first thing I did was test how the domain input field handled different types of user input. Here are the steps I followed:
Bengali (Bangladesh) · 
English (United States) ·