Don’t underestimates the Errors They can provide good $$$ Bounty!

Aditya Sharma
Jun 7, 2019 · 2 min read

Today I am gonna tell you how I got $$$ bounty. On that day i was founding any good bug bounty program which have a wider Scope. So my search Ends on Mamba Bug Bounty Program . So as we all know the first Step is sharpen the Axe before cutting the tree 😐 i mean just start Recon On my target https://mamba.ru :). So after 1 hour i take a sight on its Subdomains.

There is a subdomain like https://bot.mamba.ru. That looks like Dummy bot Chat Subdomain 🎃 as you can see below.

Image for post
Image for post
Vulnerable Subdomain

What can i do there ??? Lets chat to the bot Lmfao 😆.

While sending message on bot Chat i intercepted and tried to inject XSS but nothing happened

Lets Move on To new target its Just Bot Chat :( …..No try to a host header injection… But the result is nothing .

And then accidentally I removed the Host Header From the Request and boooomm…In Error I got Source Code Path Disclosure Which is because of Server Side misconfig. If that was properly configured i got 400 bad request But i got 401 error with sensitive information as you can see below (i hide the path)

Image for post
Image for post
Sensitive Path Disclosure on https://bot.mamba.ru

Hence I reported The bug to mamba security Team. They Responded me after 1 day Informing me That they are rewarding me $200 for this bug 🙏.

So don’t Underestimate the Errors

Timeline:

Wed, May 22, 2019 at 4:08 PM: Bug Reported

Thu, May 23, 2019 at 11:20 PM: Mamba Security Team Replied “Valid Issue”

Thu, May 23, 2019 at 11:33 PM:Bug Patched & Bounty Rewarded.

Sat, May 25, 2019 at 10:20 AM: Request Of Public Disclosure.

Sat, May 25, 2019 at 05:20 PM: Agreed to publicly Disclosure.

P.S.: Sorry If there is any grammatical Mistakes my English is not good enough and although This is my First Blog .

Thanks For Reading

#keepHunting

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store