Baibhav Anand
Jul 23 · 3 min read

Hello readers,

I am Baibhav Anand Jha and this is my story about how a web security vulnerability workshop organized by BountyBash helped me multiply my money in one day.

About the workshop

I was in this workshop where Mr. Shashank Kumar was our tutor for the day. He is actually very good at teaching and I enjoyed every single second of the workshop.

So how exactly did this help me multiply money?

While I was in the workshop, Shashank sir gave us many practical advises on bug hunting. One of which was, “Whenever you see a link with two parameters try changing one of the parameters and check if the value gets accepted.”

The workshop ends. It was a wonderful experience. I got to learn so many new things.

Now while I am on my way home my phone beeps but I didn’t check it instantly. I decided to check it upon reaching home.

I was in my home casually sitting in front of TV. I check my phone for the notification and there was this email from HackerOne about a private program. I checked the program like I check every other program. I decided to sign up. As I was signing up I got this confirmation email to verify if the email belonged to me.

The link looked something like : https://www.website.com/register/verify/(my email)/(token)

Looking at this link I was like

“Two parameters” just like what Shashank sir told us to check. “Let me dig in a little more”, I thought to myself. I didn’t open the link and decided to create a new account using a random email. Since, I didn’t have access to the new random email I decided to modify my confirmation link by changing the email parameter to that of the new random email but I didn’t change the token.

And as soon as I opened the modified link, I was like

It got verified!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

I instantly reported it to the program, and they reward me a 3digit bounty.

I then thought to myself, “why not try this in other websites as well.” I looked into some public programs at HackerOne and I came across this website called (Censored until fixed). It is a fairly popular website I am sure most of you would have heard about it before.

Co-incidentally it had the same vulnerability. And I was like

Another $XXX BOUNTY!!!!!!!!!!!!!!!!!!!!

Thank you for making it to the end of the story. Here is a bug bounty tip — Whenever you see a link with two parameters try changing one of them and check if the value gets accepted.

Wanna connect?

Here are some of my social media profiles where you can find me.

Facebook -https://www.facebook.com/ibaibhav

Instagram- https://www.instagram.com/baibhavanand

Twitter- https://www.twitter.com/ibaibhavjha

Baibhav Anand

Written by

I am a security researcher from Nepal and also the Founder and CEO of BaiTux ( A cyber security based educational start up)

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade