I’ll be telling y’all how I got my first bounty after six months of hunting regularly.
It was an unlisted program, let’s call it example.com. (Always wanted to say this :”) )
So I started hunting on the site with some basic sub-domain enumeration and validation. After validating the sub-domains now it was time to start fuzzing these babies to get some sensitive info. (Evil laugh)
I started my Virtual Machine and started fuzzing the list of sub-domains, at first I did not find anything impactful which sadly continued till the end of the list until I got a ‘test’ endpoint. Normally this endpoint wouldn’t disclose anything crucial but luckily it redirected me to some private data being leaked and there you have it. (Private data being leaked: CV of a personal employee)
– – – – – – – – – – – – – – – – – – – –
Reported on: 26th March 7:33 PM
Triaged on: 26th March 8:27 PM
Rewarded on: 2nd April with 1,000 Rs gift card :)
Thanks for reading, until next time.