How I got my First Bounty (Open Redirect)

I was trying to find a good program to hunt on Hackerone. Then, I found a program. let's call it example.com. I was testing every link and functionality of the website. Suddenly, I got some idea in my mind to hunt for the open redirect.

I was testing every functionality which redirects me to the login page of that website. After a lot of manual work, The website has a deals page, To activate the deal user should be logged in. Then I tried to click on the login button. It redirects me to the login page example.com/login?param=/deals something like that. It has a redirect parameter that redirects me to that page when I successfully log in.

I tried with different open redirect payloads and bypassing mechanisms. You can get Open Redirect cheatsheet from https://pentester.land/cheatsheets/2018/11/02/open-redirect-cheatsheet.html. After some modification and lots of trying… Boom! I found the open redirect vulnerability.

Immediately I reported the Vulnerability to the Security team of the website. After 3 weeks I received a response from their team as they accepted my report and they will provide me a bounty for my finding. I received my bounty reward from the company after a week.

Thank you so much for reading my post

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Vamshi Vemula

Vamshi Vemula

Security Researcher | Cyber Security Enthusiast | Programmer