How I Got my First Bounty €€ ?

Hello everyone,

Murali Dharan

~4 min read · October 7, 2024 (Updated: October 9, 2024) · Free: Yes

I'm Muralidharan, a penetration tester, and this is my first article, where I'll be sharing the story of how I secured my very first bounty. My journey into bug hunting began in January 2023, but at the start, I wasn't fully committed. I was mostly uncovering low-priority issues (P4, P5), or hitting roadblocks with duplicate or non-applicable reports. It wasn't until after 1.5 years of persistence and learning that I discovered my first valid vulnerability — a business logic flaw involving email verification.

Description:

Business Logic Vulnerability

Business logic vulnerabilities are flaws in an application's design and implementation that allow attackers to manipulate legitimate functionality for malicious purposes. These flaws arise when developers fail to anticipate unusual application states and handle them safely. Such vulnerabilities are often invisible to regular users but can be exploited by attackers who interact with the application in unintended ways.

Business logic enforces rules and constraints designed to prevent harmful actions or illogical behavior. However, flaws can let attackers bypass these rules, for example, by completing transactions without following the proper workflow or submitting invalid data to manipulate transaction-critical values. Identifying logic flaws requires understanding the business domain and attacker goals, making them difficult to detect with automated scanners. This makes them ideal targets for bug bounty hunters and manual testers.

The Discovery

For the past 6–7 months, I've been actively involved in bug hunting. My focus initially was on Vulnerability Disclosure Programs (VDPs), as they provided a more accessible entry point for learning and honing my skills. About 4–5 months ago, feeling more confident, I shifted my attention towards Bug Bounty programs, eager to put my skills to the test.

The bug I found came from a private program on YesWeHack. Though I can't reveal the actual target, let's refer to it as redacted.com for the sake of this story.

I created an account on a job search website and began exploring its features, testing for various vulnerabilities like XSS, CSRF, CORS, SSRF, IDOR, hyperlink injection, email verification bypass, command injection, and more. After a thorough check, I initially thought the website might be secure, as I couldn't find any obvious bugs.

However, when I turned my attention to the "Edit Profile" section, I noticed an option to change my email. During account creation, the website required a 6-digit OTP to verify the email. I assumed the same verification process would apply when updating the email, but it didn't. The new email was accepted without any verification.

I then tested this by using the "Forgot Password" option. Surprisingly, the password reset email was sent to the unverified email address, allowing a password change without proper validation. Recognizing the severity of this flaw, I immediately reported it to the private Bug Bounty program.

Steps to Reproduce:

1.Create an account using your email address. 2. Complete the email verification process before logging in. 3. Once logged in, navigate to the "Edit Profile" section and change the email address to the victim's email. 4. Notice that the email is updated without any verification. 5. As a result, the account takeover occurs, as the email is changed without proper validation.

Impact:

The lack of email verification during the change process exposes a critical security flaw. An attacker could exploit this by changing the account's email address to one they control, leading to a full account takeover. Once the email is updated, the attacker could reset the account password using the "Forgot Password" feature, gaining unauthorized access to the account. This could result in sensitive information being compromised, such as personal data, job application details, or any other private content stored in the account.

Remediation:

To fix this vulnerability, the system should enforce email verification whenever an email change is requested. Specifically: 1. Upon an email change, send a verification email to the new address with a unique link or OTP to confirm the change. 2. Ensure that the new email is not updated in the system until it has been successfully verified. 3. Consider logging out the user from all active sessions after the email is changed, as an added layer of security. 4. Monitor for suspicious account activity, especially if multiple email change attempts are made.

Conclusion

I had submitted the bug, convinced it was a high-severity issue, but the program marked it as low severity. I waited and waited, with no response for what felt like an eternity. Eventually, I stopped thinking about it. Then, one day, a few weeks later, I got the surprise of my life — my first bounty! Seeing the bounty banner on YesWeHack filled me with excitement. At that moment, the quote "Hard work never fails" truly resonated with me. It was proof that persistence and effort pay off, even when things don't go as planned.

Here is the bounty I got from YesWeHack

In the end, do not stick to just one tool, technique, or even a program that you don't understand; that will burn you out. The internet is already a place filled with vulnerabilities.

Contact :

LinkedIn: https://www.linkedin.com/in/murali-dharan-k-7a6b90259/ Thanks for reading till this point!

That's all for this blog. Hope you liked it.

…Thank You!!!

#bug-bounty #bugs #bug-bounty-tips #bug-bounty-writeup