Every bug bounty hunter has their own unique story. Mine is one of persistence, learning, and a bit of patience. Here’s how I discovered significant vulnerability, reported it, and ultimately got €250 bounty on Intigriti.
Table of Contents
The Beginning of My Bug Hunting Journey
It all began when I decided to focus on a program listed on Intigriti. The target company—an online shopping platform whose name I’ll keep confidential—piqued my interest. My initial step, as any ethical hacker would agree, was reconnaissance.
Reconnaissance is the process of gathering information about a target to identify potential entry points. During this phase, I discovered multiple subdomains belonging to the company. This was an exciting find because subdomains often host less secure or overlooked parts of a system. One specific subdomain, part of their shopping platform, stood out to me due to its structure and functionality. Intrigued, I began analyzing its features and interactions.
After spending hours exploring the subdomain, I decided to test its payment system. Payment systems are often critical components of any e-commerce platform, making them high-value targets for bug hunters. I aimed to identify any potential flaws in the transaction flow, which could have significant implications if left unaddressed.
My testing began with a small purchase using my credit card. However, before finalizing the payment, I intercepted the HTTP request to examine the data being transmitted to the server. This is a common technique used by ethical hackers to understand how an application processes sensitive operations like transactions.
Discovering the Payment Manipulation Vulnerability
While analyzing the intercepted HTTP request, something unusual caught my attention. Among the request parameters, I noticed the total amount being charged was included in the data payload. This was surprising because critical values like transaction amounts are usually validated server-side and not trusted from client input.
Curiosity got the better of me. I wondered, What would happen if I modified the total amount in the request?
To test my hypothesis, I altered the total amount to a much smaller value—just one cent. With the modified request ready, I allowed it to proceed. To my astonishment, the transaction went through successfully. The amount deducted from my account was exactly one cent instead of the original total.
This confirmed a significant vulnerability: the system was failing to validate the total transaction amount on the server side. While this might seem like a minor oversight, the implications were severe. In the wrong hands, this flaw could allow malicious actors to make fraudulent purchases for negligible amounts, leading to substantial financial losses for the company.
Reporting the Vulnerability
Once I confirmed the vulnerability, I meticulously documented my findings. Documentation is a critical step in the bug bounty process, as a clear and detailed report increases the chances of acceptance and speeds up the validation process. My report included:
- A step-by-step guide to reproduce the issue.
- Screenshots showing the original and modified requests.
- Transaction logs highlighting the discrepancy between the original and manipulated amounts.
- An explanation of the potential impact of the vulnerability.
I submitted my report via Intigriti’s platform, hoping for swift validation. Within a few days, I received a response from Intigriti’s triage team. They confirmed that they were able to reproduce the issue and had escalated it to the company’s security team for further investigation.
Facing Rejection
A few days later, I received a disheartening update: the company had rejected my submission. Their reasoning? They claimed there was an additional backend validation mechanism that would prevent any real-world exploitation of the issue.
This was a major blow. As a beginner in bug bounty hunting, I couldn’t help but feel that my efforts had been wasted. It’s easy to get discouraged in moments like these, but I reminded myself that rejection is a common part of the process. I resolved to learn from the experience and moved on to explore other targets, all while keeping an eye on this report for any potential updates.
An Unexpected Turn of Events
Two months passed without any updates. Then, out of the blue, I received an email from Intigriti: “Submission accepted, and a new payout was registered in your name.”
I was stunned. It turned out that after further investigation, the company had identified a valid attack scenario stemming from the vulnerability I had reported. While their initial analysis suggested that the issue had limited impact, deeper testing revealed that certain configurations of their platform were indeed vulnerable.
The company acknowledged the vulnerability and awarded me a €250 bounty. This was an incredibly rewarding moment. Not only did it validate my efforts, but it also reinforced the importance of persistence and thoroughness in bug hunting.
Reflecting on the Experience
This experience was a turning point in my bug hunting journey. It taught me valuable lessons that I carry with me to this day:
- Patience is Key: Bug bounty hunting often requires time. Reports don’t always get immediate responses, and resolutions can take weeks or even months.
- Focus on Learning: Every report, whether accepted or rejected, is an opportunity to refine your skills and deepen your understanding of cybersecurity.
- Persistence Pays Off: Rejection isn’t the end of the road. Keep pushing forward, and success will often come when you least expect it.
- Thorough Documentation Matters: A well-documented report increases the likelihood of acceptance and ensures clarity during the validation process.
Expanding My Horizons
Earning €250 bounty was more than just a monetary reward. It was proof that my skills and efforts could make a tangible impact. This milestone boosted my confidence and motivated me to continue exploring the fascinating world of ethical hacking and bug bounty programs.
Since then, I’ve focused on sharpening my skills, learning from every experience, and contributing to a safer online ecosystem. Each new target brings unique challenges, but the lessons from bounty remain invaluable.
A Message to Aspiring Bug Hunters
To all aspiring bug hunters: remember, every expert started as a beginner. Embrace the process, stay persistent, and always keep learning. The world of cybersecurity is vast and ever-evolving, offering endless opportunities to grow and make an impact.
Your breakthrough moment might be just around the corner. Keep hunting, keep learning, and one day, you’ll have your own success story to share.