In this post, I’ll be describing how I found 5 bugs on a private HackerOne program. The website that I attacked was a new CTF hosting provider, and I had actually participated in a CTF using this provider prior to being invited to their private program.

Please note that as the program is private, I can’t show the exact pages exploited, or show any of the exact code that I used to exploit them.

Race Condition in Flag Submission

Out of all bugs submitted, I believe that this had the highest severity. …

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store