The Story of the first bug I found worth of $100 using only my Android Phone
$ whoami
I’m Jefferson Gonzales, 18 years old a first year college student and a part-time Security Researcher from Philippines. Acknowledged by Nokia, UN, BBC and 20+ companies.
Hello to all Bug Hunters and Security Researchers I’m Gonz a newbie in Bug Hunting and this is my first writeup on my first bug I found and I want to say sorry for my bad english
First I started participating on SQLi, XSS, and Pentest challenge in Facebook Groups and that time I don’t know what is Bug Bounty. Because I don’t have a laptop I only used my android phone for searching on google and youtube for tutorials in SQLi and XSS, months later I know some tricks about that, one day I saw my friend posted on facebook about a bounty he recieved, so I try to search about bug bounty and I read some writeups so I can get idea about a simple vulnerabilities and I started learning about the CSRF and IDOR, but I have a problem in CSRF vulnerability because some CSRF vulnerability need to use a burp suite to capture the request so that time Im focusing on IDOR vulnerability and when I understand the IDOR vulnerability I try to test it to live target, after searching for Responsible Disclosure Program I found a website that have a bug bounty program and they give a monetary rewards if you found a bug/vulnerability to their website, so lets started about how I found the bug to their website
Lets name the website to redacted.com because I dont have permission to disclose
I try to register and login to redacted.com to see more functions, first I tried to test for XSS but no luck, so I try the IDOR vulnerability, after exploring the website I found a function where I can invite a user and I can set a Role to the user I invited
So I test this functionality, and I invite my another account and set a Role to the account I invited, after I set the Role I notice the URL
And the thing that comes to my mind is the IDOR vulnerability, the /451/ is the ID to the account I invited and also I can see what Role that I gave to that account, when I change the /451/ to /452/ I can see the another user’s Role so this confirmed that there’s an IDOR vulnerability.
I create another account to test the IDOR again and I invite another account and set a Role with an ID: 461
And when I changed the ID: 461 to ID: 451 I can see the Custom Role in my another account
After I confirmed that this is IDOR vulnerability Im writing my PoC and submitted to their Security Team
Reported : October 21, 2020
Triage : October 28, 2020
Reward recieved : November 22, 2022
You can contact me on
