My First Un-Expected $$$$ Digit Bounty for an Un-Expected Vulnerability
Hello readers, this is my first time I am writing any blog. I hope I won't waste your time and you will definitely take motivation from this.
In this Blog I will discuss how I got my first Unexpected 4-digit bounty for a bug which mostly many ethical hacker or bug bounty hunters ignore or its out of scope. Ok let's start.(Note: It was 3 year back)
I started my Bug Bounty back in 2019 when I was in my 3rd year of my college and before that I was just gathering and learning about cyber security. Since I started, I was able to get some bounties and some swags which always keep me boosted and helped me in maintaining the consistency. But after few months' times changed and I was not able to score any bounty, all my reports were either getting duplicate or N/A . But I didn’t stop.
One fine day I started my day and thought of starting fresh. So, I completely closed everything that was up and running, all programs that I was hunting on, all terminals running different recon commands everything and started a fresh.
Methodology
I went to google and started searching out for open Bug bounty and RVDP programs. I usually do that by using google dorks like
intext: Vulnerbility disclosure
intitle: Security Bounty Program
...etc
After using the dork, I looked for some programs which are recently launched and to do that I clicked on Tools button and set time as Past month
After scrolling through the programs, I came across a program which was launched just before a week, and I thought let's give a try to this.
I will disclose the program name in the last as the program is now closed and they are not accepting any further reports.
Vulnerability Finding Methodology
After setting my target, I quickly went through the scope and out of scope section and thing were pretty much clear there.
I started subdomain enumeration and found that there was no major subdomain listed only 4–5 was there. Then I started manually checking the website and its Functionalities. I saw a login button on main website, so I straightly went to that section to check more vulnerabilities related to authentication as it's my favorite feature to hunt on. I created my accounts there and started looking for Vulnerabilities like CSRF, Session Expiration, Session validation, Idor’s , 2FA bypass and other major vulnerabilities mostly p2-p3.
after spending like 2hours I didn’t get anything and thought of almost giving up. I then again come back to main website and started looking for sensitive information leakages on internet via google dorks, GitHub and using tools like waybackurls, ffuf , dirsearch to get some juicy information. But again, bad luck there was no juicy information present. I felt like there is no vulnerabilities present and thought of moving to next website. but don’t what held me back and I again went to check for Login functionality page.
I again looked at the qualifying and out of scope vulnerabilities and found that No-Rate- Limit was not mentioned in out of scope so I though let's give a try I performed a No-rate-limit to all the sensitive endpoints like, password reset function, password change function, inviting team members functions and other endpoints too. But nothing was working and everything seems protected. I took a break and went out with my friends.
Next day I thought why not perform a rate-limit on the login functionality only. (I was not aware that time it was called a Brute Force attack) and to my surprise there was no protection against the brute force attack, and I was able to perform a valid brute force attack on that main login page. I was not much excited because I thought even if it is a valid bug, I will only get p4-p3 reward i.e. max $200 but I reported that though their reporting form which was earlier there and I also haven’t got any confirmation back to my email. I waited for a week and there was no response and it completely went off from my mind as I started hunting on some other programs.
After 1 Month I got an e-mail (Check below attachment).
Lesson, I learned From This
- Being consistent is the key.
- Don’t underestimate your findings! ask yourself is this something that can be an issue really.
- Don’t put expectations first before the results.
- Always be patient.
- Take a break whenever you feel you are lost.
Conclusion
Reward: $1000
Program Name: https://improvmx.com/
Vulnerability Name: No Rate Limit On Login Page (Brute Force Attack)
POC:
I hope you liked this blog and must have learned something.
Feed | LinkedIn — My LinkedIn Profile.