How I Got SONY swag
Hello Bug Bounty Hunter , penetration tester , Security researcher .
I am Bharath Kalyan from Chennai , India .
This is my First bug bounty write up .
In this Blog , I am going to talk about how I got Sony swag .
I Decided to get swag from Sony . so I started test the Sony website.
…..
I Started with subdomain enumeration . I personally used the Subfinder to find subdomains .
Subfinder found the number of subdomains and then I used the httpx tool to find status of subdomain .
usage of httpx https://www.hackingarticles.in/a-detailed-guide-on-httpx/
Then I Randomly picked the one 200 response subdomain which is contain the login page .
1) In login page I enter the wrong username and password .
2) Capture the request in burp suite and send it to intruder .
3) Mark the username field and add the payloads (100 usernames)
4) Start the attack and the server returns the 200 response not 429 response .
5) The Server didn’t block me .
then I reported to sony team .
Bug Name : Missing rate limiting protection for the Login form .
Impact : An attacker can freely bruteforce any username and can takeover any account
I Got sony swag 😊😎
Thanks :) happy hacking