So I went back to work. I opened HackerOne, scrolling through programs, looking for something interesting. After a while, I finally found one that felt worth the effort. No expectations. No pressure. Just curiosity.
As always, the hunt began with enumeration — collecting as much information as possible about the target.
I fired up my custom port-scanning script. Nothing suspicious. No unusual open ports. Dead end.
Next came subdomain enumeration. I filtered live subdomains using the httpx toolkit, then unleashed my custom Nuclei templates.
Hours passed.Nothing.
By now, it was almost 3 AM.My eyes were closing. Interest was fading. My brain whispered:
"It's okay dude… maybe today isn't our day. Let's sleep."
So I gave up — at least consciously — and went to bed.
Here's the funny part.
Even in sleep, my mind refused to quit. I was dreaming about the target — visualizing its structure, endpoints, and possible weak spots.
I woke up early the next morning with a few fresh tactics, straight from that half-awake hacker mindset.No coffee. No delay.Time to execute.
I geared up Burp Suite and began analyzing requests and responses carefully.
Hours passed. Morning sunlight hit my face as I stared at responses line by line.
Then — something felt off.
The input validation behaved differently on the frontend and backend.
That's when I knew: this deserves attention.
I started testing input validation with various HTML Injection and XSS payloads.Nothing worked.The backend was blocking everything.My brain kicked in again:
"Okay… it doesn't accept payloads directly. Try something different."
So I did.I took a simple HTML payload:
<a href="https://www.google.com">HTML</a>And URL-encoded it:
%3Ca+href%3D%22https%3A%2F%2Fwww.google.com%22%3EHTML%3C%2Fa%3EI hit Enter.
Instead of normal behavior, the application responded with:
"Sorry, we had an unexpected error. Please accept our apologies as we have someone look into this issue."
Red flag. Big one.This was not a proper backend response.I opened the browser console and saw:
Failed to load resource: The server responded with a status of 500At that moment, I knew — the payload had reached the server.
The entire page crashed.No one could access it.The error read:
"Application error: a client-side exception has occurred."
For a second, I wondered if the WAF had blocked me. To be sure, I did the simplest sanity check — I called a friend.
Me: "Hey bro, can you try opening this webpage?" Friend: "Dude… it's not loading at all. What did you do?" Me: "Nothing much… I may have casually disrupted the site with an HTML Injection."
That rush hit instantly. Pure adrenaline. Pure hacker joy.
Reporting & The Wait
Without wasting a second, I documented everything — payloads, responses, impact — and submitted a detailed report on HackerOne.
For the next two days, the page remained completely inaccessible.
Silence.
I honestly started thinking:
"Did they just ignore my report?"
But then…
Two days later, the report was triaged. A few days after that — bounty paid The vulnerability was fixed. And the webpage was finally back online.
Mission accomplished.
Impact of the Bug
- Injection of arbitrary HTML could lead to Stored Cross-Site Scripting (XSS), enabling attackers to execute malicious scripts in other users' browsers.
- Client-side exceptions resulted in a Denial of Service, breaking critical page functionality.
- The payload directly impacted availability, rendering the webpage inaccessible to legitimate users.
Any doubts, Suggestions please mention in the comments.
Happy Ending, Happy Hacking.