Hi there again,
I’m Hein Thant Zin and just a noob bug hunter .Today, I’m going to share how recon helps me to find eazy bug in HackerOne ‘s Private program.
The story began when I was awarded my first bounty. I was really motivated to bug another bugs on h1 so then I got a private invitation and checked out it .
Sadly, there was only set 2 domains in scope for their program.
Let’s say the program name as http://reacted.com
The scope domains are
Alright , I was testing some common bugs like csrf, xss, other logical bug in main app domain but I didn’t find anything coz there was tested by other experienced hackers so you know very less chance for me to find valid bug there.
The next day, I remembered to do some recon for the program.So I went through github and checking all their repository. Suddenly, I found a payment api endpoint in their repo.
As you can see , redirect_uri parameter looks like interesting .
Open redirect ? Nahh… I’ve got bad request response with 400 status.
Then I tried to bypass and the followings url was successfully bypassed and redirected to the site .
Also I’ve tested for ssrf and xss but failed .So I reported the bug and they rewarded me 250$ for this simple open redirect bug.
That was happened in only just 15 mins, at last night I was spending at least 4 or 5 hours testing main app but got nothing. What is different between?
When you are doing bug bounty , you need to have the right approach for the target.
Don’t skip every recon steps , the more recon the more possible to win $$$$.
I hope you enjoyed this write up. Actually I’m not IELTS guys , execuse me for any grammatical mistakes.Btw u can find me there https://twitter.com/H3Lowr
Thanks for reading, Seee ya guys………….