Bug Bounty Hunting
In July 2023, after finishing my internship duties for the day, I sat in my hostel room when a sudden thought struck me, let’s try bug hunting. Despite my lack of prior experience, a faint spark of courage flickered within me, while a reassuring voice quietly insisted, “You can do it!”. Inspired, I spent an hour researching and decided to give it a shot.
I created an account on HackerOne and chose a Vulnerability Disclosure Program (VDP) to start with, focusing on a wildcard domain *.bharatbenz.com. After conducting some reconnaissance on the domain, I selected a specific sub-domain. Let’s assume the target is xyz.bharatbenz.com.
I opened my browser and began exploring the website. It had numerous parameters, so I attempted various types of attacks, including XSS, SQLi, and SSTI. However, none of them worked, and I felt quite disheartened.
Then I noticed a chatbot on the site and decided to have some fun with it. After exchanging some routine messages, I tried injecting an XSS payload to see what would happen. The chatbot filtered out the XSS payloads. Realizing it had some level of filtering, my curiosity was piqued, and my determination renewed.
I continued testing different XSS payloads, but the filtering persisted. Finally, I decided to try an HTML Injection payload. I sent the following payload:
<h1>Click here</h1>To my surprise, it worked! Feeling a surge of excitement from my first successful attempt, I decided to increase the impact by combining HTML Injection with an XSS payload. I crafted the following payload:
<h1 ="alert(document.domain)">Click here</h1>When I submitted this payload and hovered my mouse over “Click here”, an alert with the domain name appeared.
Elated with my discovery, I documented the details and submitted my report for triage. The next day, I received a response from the team: my finding was a duplicate. Someone had submitted the same bug just a few days before. They even sent me a screenshot of the prior submission.
While my first finding turned out to be a duplicate, I didn’t let that discourage me. Instead, I saw it as validation that I was on the right track. Since then, I have continued to learn and apply my knowledge in bug bounty hunting and penetration testing. I am proud to have helped secure many organizations, including NASA and Cisco.
Finding a duplicate bug means you’re on the right path.
Conclusion
Never overlook any input point for an attack, you never know where a vulnerability might be hiding. Always think outside the box and keep pushing forward.
