So The Story started 6 months ago when i got private invite to hackerone program. Its has very less scope. The website was already tested by multiple hackers. 100+ reports already resolved and 65,000+ bounty already awarded.
So this story is about my approach, how i found simple issue within 10 minutes even if the program was heavily tested. And got 3X reward for same issue, just by giving attention to tiny detail.
Main Story :-
On Signup, user gets verification link to verify his/her account.
Now i started playing with the verification link and i observed that it was having “redirect_after” parameter which is empty by-default. But the verification request was not containing any “redirect_after” field.
It was weird!!!
As you can guess, i started entering “redirect_after” everywhere but it was throwing error, request malformed.
Then something clicked in my mind and i used it in the signup url link.
For example :- https://private-site.com/singup?redirect_after=https://evil.com.
And guess what, successful redirect to evil.com happened.
So I reported it. After 1 month they patched it and marked it as closed without asking me to retest.
Story Continues…..
I thought lets see if they fixed it or not :
I did same steps to reproduce the issue and it seemed that issue was fixed.
After sign up, it didn’t took me to evil.com, the application just stopped.
I thought maybe it is getting filtered or something since they patched it.
But when i clicked verification link then it redirected me to evil.com !!!
It was successful attack again.
I reported it 2nd time and they triaged it and again patched it and marked it as resolved.
The End….Just kidding!!!! The issue was still in play.
Recently i tested it again.
Now i noticed they were using POST request while signup and it was a graphql request, actually i was searching for different issue but luckily got bypass for previous fix.
Now the verification link was getting encoded and they were using third party to shorten the url.
I decoded it and guess what i again found the same hidden paramter in the verification link.
So this time i intercepted the POST request for singup and added the hidden paramter (POST /graphql?redirect_after=https://evil.com)
And guess what the verification link redirected the user to evil.com.
I again reported it !!!!
So For 1 Low issue, i got 3X Reward.
The main thing that you should do while doing bug bounty is to see the tiny details. And study every request and its response. Even if the application is heavily tested, treat the application as new. You will be Surprised !!!
Hope it will helps you to grow.
Thank you for your time, milte hai next writeup mai …. Happy Hacking.
