June 9, 2026
These Low-Hanging Fruit bugs Made Me $120+ in 30 Minutes — Bugs That 80% of Hunters Ignore
Bhavishthakral
2 min read
Hi everyone , bhavish here
When people think about bug bounty, they imagine critical RCEs, SQL injections, and five-figure payouts. I used to think the same.
But the truth is, many valid reports come from simple observations that most hunters skip because they seem "too easy" or "not impactful enough."
In this article, I'll share six low-hanging findings that collectively earned me $125.
Bug #1 — Cross-Application Session Persistence
Target: xyz.com
Summary
Changing the main account password terminated the primary session, but sessions on an integrated dashboard remained active.
Steps to Reproduce
- Log in to the dashboard using the main account.
- Change the account password.
- Observe that the dashboard session is still active(if ui is gone then test with api requests form your burp http history).
Payout
$20
Bug #2 — File Upload Restriction Bypass
Target: xyz.com
Summary
The application validated uploads using file extensions, but the restriction could be bypassed using double extensions.
Example:
file.php.pdffile.php.pdfSteps to Reproduce
- Upload a file using a double extension.
- Observe that the upload succeeds.
- Verify that the uploaded file is downloadable.
Payout
💰 $55
Bug #3 — Session Not Invalidated After Password Change
Target: xyz.com
Summary
Changing the password in one browser failed to terminate sessions in other browsers.
Steps to Reproduce
- Log in on two different browsers.
- Change the password from Browser A.
- Browser B remains authenticated.
Payout
💰 $20
Bug #4 — Authentication Token Reuse
Target: xyz.com
Summary
Previously issued authentication tokens could be reused during the login process, potentially bypassing password verification if a valid token was obtained.
Steps to Reproduce
- Intercept the login flow.
- Replace the error response with a previously valid token.
- Forward the request.
- Observe successful authentication.
Payout
💰 $20 (i know it is less as of bug severity but it all depends on program budget)
Bug #5 — Deleted Files Still Accessible
Target: xyz.com
Summary
Files remained accessible through direct URLs even after users deleted them from their accounts.
Steps to Reproduce
- Upload a file.
- Copy its URL.
- Delete the file.
- Access the copied URL.
Payout
💰 $0 (Duplicate but valid)
Bug #6 — Internal IP Address Exposure
Target: xyz.com
Summary
A publicly accessible endpoint disclosed an internal IP address exposing a login interface intended for testing.
Steps to Reproduce
- Visit the affected endpoint.
- Identify the disclosed IP address.
- Access the login page through the IP( extend the attack by hunting directly on ip as sometime it may reduce firewall protection).
Payout
💰 $10
Final Thoughts
These weren't groundbreaking vulnerabilities.
They were assumptions that nobody questioned.
- Deleting a file should actually delete it.
- Password changes should invalidate all sessions.
- SSO should terminate sessions everywhere.
- Authentication tokens shouldn't be reusable.
- Internal assets shouldn't be publicly exposed.
- Upload restrictions should actually work.
I didn't make my first bug bounty earnings through critical RCEs.
I made them by paying attention to small details that most people ignored.
So the next time you think,
"This bug is probably too minor to report."
Take a second look.
It might be your next valid finding.
Happy Hunting!
Socials : https://x.com/Bhavish_Thakral