Last updated: 15 Sep 2022
This page lists the bugs I’ve found while doing bug bounty.
Due to confidentiality agreements no program information can be disclosed.
6) 15 Sep 2022
Discovered an HTTP DELETE endpoint which was accessible via an API but not available/implemented as a feature on the UI. In private program.
5) 14 Sep 2022
Stored XSS + Same Origin Policy bypass to exfiltrate session cookie to remove server, in private program.
4) 09 Sep 2022
Unauthenticated cache purge access. In public program (Marked as a P5, informative but acceptable risk to business).
3) 08 Sep 2022
Stored XSS. In private invite program.
2) 07 Sep 2022
EXIF data not removed from uploaded images. In private invite program.
1) 27 Jul 2022
Reflected XSS via search input field. In public VDP program (Marked as duplicate).
I started bounty hunting on 19th of July 2022, 8 days prior to finding my first bug. I didn’t do any hunting in the month of August.
I hunt for bugs using Burp Suite Community Edition and a web browser on MacOS. The process is simply one of exploring the application and hunting against the features that are there. The other tool I’ve used now and then is ffuf (Fuzz Faster U Fool).