BUG BOUNTY: How I earned $550 in less than 5 minutes. “Open Redirect chained with rXSS”
Assalamu Alaikum Warahmatullahi Wa Barakatuhu…
Hello Guys :D . My name is Ahmad Abdullahi Adamu, Bug Hunter from Northern part of Nigeria(Arewa) ;) .
today I’m going to share with you guys,
How I earned $550 in less than 5 minutes.
I woke up one Sunday morning, as usually I picked up my phone and logged in to my facebook account, upon scrolling news feed I came across this facebook Ads of showmax (showmax is an online movie website just like NetFlix).
I then tapped on the ads and visit the site, as for my principle whenever I came across new website, the first thing that I will do is to check if the site is running Bug Bounty Program by googling “hackerone <site name>” or something like “<the site name> bug bounty”. I did the same methodology here and found that hey are running a Bug Bounty Program on hackerone.
and the most interested part is that this program(showmax) is about 6months that it doesn’t resolved any report, that’s a good chance to get some bugs :D (according to my bug hunting belief :P , and that’s the same belief that I applied for Yahoo! and it works there also, Bug was found, but not yet resolved).
I the fired up my Burp Suite and revisited the site again, and go through the site, opening any link that appears in my screen(lol :P , just joking, opening any link my took me more than 5 minutes).
“Try it for 14 days”, after clicking it it takes me to a signup page, after that it redirects me to payment page. to be frank with you I don’t have a Master or Visa card(I used my sister’s of friend’s own :P) but this time around they are not there to give there cards :3 .
I then click on my Burp Suite to check for Burp “History”, upon scrolling I saw something in the request body of one of the Burp History from “secure.showmax.com” the body looks like this;
{payment_url:"https://secure.showmax.com/v97.3/website/payment/subscriptions/zooz_card/three_d_secure?redirection_url=https://payu.co.za......."}
I was like “Masha Allah this is Open Redirect” (I’m much more in love with Open Redirect), without wasting a single second :P I then try to change the redirection URL to google.com and it works, then is time to write a simple report for them to their hackerone handle about the issue.
within some hours they “triggered” it :D
I then moved further to check if I can still chain the Open Redirect to rXSS, this blog post (XSS limited input formats) by Rodolfo Assis(brutelogic) helps me a lot(during my XSS research :P lols).
I changed the url from https://secure.showmax.com/v97.3/website/payment/subscriptions/zooz_card/three_d_secure?redirection_url=https://google.com to https://secure.showmax.com/v97.3/website/payment/subscriptions/zooz_card/three_d_secure?redirection_url=javascript:%250Aalert(1)
and then Boom! I got alert(1).
XSS again.
I then reported it to them(in same report that I opened earlier).
Assalamu Alaikum.
Takeaways:
- try to find the exact bug that the program that you are participating in are interested in, for this(showmax.com) are interested in XSS, SqlInjection, IDOR, Open Redirects e.t.c(as they mentioned in their policy page)
- programs that most hackers are not paying much attention on.
- don’t just look for open redirects on your browser address bar, some of them tends to occur in JSON request body(like mine here)
- write a simple report and some screenshots attached with some videos(not more than 3 minutes)
- once you discovered a bug in a system, try as fast as you can and report it(avoid delays, and after you reported it you can later on keep digging the certain bug, you may later catch something bigger than the previous bug that you reported, and for this “the one which has much dangerous impact than the other may result to some good bounty”)