How does my recon win $250 in 15 minutes

Hi there again,

I’m Hein Thant Zin and just a noob bug hunter .Today, I’m going to share how recon helps me to find eazy bug in HackerOne ‘s Private program.

The story began when I was awarded my first bounty. I was really motivated to bug another bugs on h1 so then I got a private invitation and checked out it .

Sadly, there was only set 2 domains in scope for their program.

Let’s say the program name as

The scope domains are

Alright , I was testing some common bugs like csrf, xss, other logical bug in main app domain but I didn’t find anything coz there was tested by other experienced hackers so you know very less chance for me to find valid bug there.

The next day, I remembered to do some recon for the program.So I went through github and checking all their repository. Suddenly, I found a payment api endpoint in their repo.

As you can see , redirect_uri parameter looks like interesting .

I changed to

Open redirect ? Nahh… I’ve got bad request response with 400 status.

Then I tried to bypass and the followings url was successfully bypassed and redirected to the site .

Also I’ve tested for ssrf and xss but failed .So I reported the bug and they rewarded me 250$ for this simple open redirect bug.

Image for post
Image for post

That was happened in only just 15 mins, at last night I was spending at least 4 or 5 hours testing main app but got nothing. What is different between?

When you are doing bug bounty , you need to have the right approach for the target.

Don’t skip every recon steps , the more recon the more possible to win $$$$.

I hope you enjoyed this write up. Actually I’m not IELTS guys , execuse me for any grammatical mistakes.Btw u can find me there

Thanks for reading, Seee ya guys………….

Image for post
Image for post

Written by

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store