My First Bug ($500)

Abhishek Yadav
Nov 19 · 3 min read

This is my first blog so ignore if i make any mistakes.

After spending 2 to 3 months looking for bugs i couldn’t find anything. So i went on HackerOne’s Hacktivity page where you can read disclosed reports of vulnerabilities reported by researchers.

As i was reading the reports i found this vulnerability that i didn’t know about.

The vulnerability was that you can spoof their email address and then the attacker can send emails from their email address which could lead to sending fake emails or attempts of phishing.

To see if you can send an email of a target domain you need to check if it has an SPF (Sender Policy Framework) Record. Its basically a framework that checks which hosts are authorized to send mail for a domain.

To check this visit https://www.kitterman.com/spf/validate.html There are many websites to check this but i find this very simple. Just type the domain name and click on Get SPF Record (if any).

For eg: If you receive an email like support@example.com then type example.com

Response

If you get No valid SPF record you probably can send an email using that domain. To send an email visit https://emkei.cz . A lot of websites are available to send emails i just find this easy to use and the emails are received fairly quick. Fill in all the details and hit send and if you receive an email from that domain its vulnerable.

I tried this on the websites that i used to hack and 3 of them didn’t have the SPF record and so i reported them and after a few days they replied.

The first one turned out duplicate which led me thinking that the other two would be duped as well cause how easy it was to find, but they turned out to be valid and i received a bounty for it. 😁

Hope you find this useful, i tried my best to explain. Please share so that others can learn from it.

Thank You.

Abhishek Yadav

Written by

Pentester | Bug-Bounty

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade