How I got my first bounty $800 for a reflected XSS

There are times in a person's life that he isn’t ready for, just as a beginner's bug hunter is not ready for when his first bounty comes in the life of an ethical hacker. Let's start without exaggerating.

Let me tell you something about myself, my name is Nirob, I'm just a noob entering this bug bounty world. I don't know why I have been addicted to hacking since I was 15-16 years old but I still don't know what hacking is. Then when I was 16 years old I heard from someone that his Facebook account had been hacked and this is the way to go ... I will Share this story another day. I will do it inshallah.

My journey of Bug Bounty Hunting started from December 2020, then I started the learning and on. February 26, 2021 I started my journey by choosing a target of Bugcrowd, Although I would deface the website through sql, shell upload from 2018😂😂 just for fun and show off🙄 But when I came to this bug bounty world. that there are many differences between this world and the world of that time, well, I will share all those things another day. 

So I started giving 5-6 hours every day to learn Bug Bounty. After 2 months I realized that I need to practice this time. Just then it occurred to me that it would be better to practice on a live website. I can learn more about it. "practice makes perfect". that work on february 26, I started my journey by opening a Bugcrowd account. In the beginning I started the hunt without any rules and regulations. I used to get stuck in what I saw. There was a time when I went to do Csrf test but I would leave it and start another vulnerability test. I mean, after 10-20 minutes,I would have finished everything.😂😂 . When I spent two months, I felt that I have to be serious from now on, I have to take it as my passion, then I started making daily notes on my own, I was writing down what I am learning today, what I am trying to do, etc. I mean, I started to take myself through a rule, but burning out always ruined my head. I used to feel burning out whenever I saw hacktivity, then I was very scared of some specific things like Api, injection type vulnerability, I dont know why I used to feel weak in these, just then fast was come and i stopped hunting.I keep working on meditation, mindset during times of fast. these to keep myself strong, then I keep challenging myself that I have to be a master in all the things that I'm weak and during fast I keep making myself mentally prepared and strong, one by one with burning out, weakness, I keep working and being able to get out of these, now I set my mind that I have to hunt for points not for money, shake off the thought of money from my head and start thinking anew. When fast leaves, I re-engage with Hunting, and just a few days later, on June 6, the auspicious moment for which I was never ready, I did an Api endpoint test for 5-6 hours straight that day, but I didn't find anything, so I got upset right away.But later I found an interesting parameter and in just 10-20 minutes digging I discovered an xss and report it immediately, then went to sleep at 12 o'clock.

How did I get here?

I didn't able to disclose there company name beacuse of there policy, ok i will take redacted.com as example 😪😪.I noticed that this is a search api which is connected to the main search engine of their website i.e. the main site is redacted.com/search.php?q=hello.  and this Api is loading specific searched content from their database. Whenever I realize this, sql comes to mind but after many attempts I was forced to accept the rate. Then I saw that there was a non input parameter filtering my searched malicious payload before requesting the database, but the problem is that I did not find anything by trying because of firewall. This time one thing I noticed that the parameter is filtering the content I searched little bit weird like search.redacted.com/site/search?query=hello&size=10&type=provider&atlg=1.2.4.4 Here's the type parameter is showing the same result once and then I started testing all the parameters one by one, but the problem is with the response because the response contains json format.😪 Then whenever I give some extra letter in type parameter like "type=providernnhj" it shows 400 Bad request but then I saw that, it shows and reflects along with showing error 😍 And then I came up with the word xss! xss! and happily i give input an xss payload like type=providernnjh<script> And immediately firewall has detected😪. Then I saw that whenever I was encoding this '<' character then it showing the response as decode😍 it means xss! xss! xss i screamed up.and i was ready to sent final payload immediately and it’s trigger 😍😍 this time i just start dancing😂

payload to see a little bit like this" type=providernnhj%3cscript%3eprompt()%3c%2fscript%3e" I have seen block so many times because of special character and also "alert".

takeaway is .. Always try to encode <> / this special character and avoid 'alert' that's will be goldmine.

Timeline:
6 June 2021 submit report on bugcrowd public program.
7 June 2021 accept as a valid issue.
8 june 2021 change status to unresolved and got hall of fame acknowledgement.
15 june 2021 issue fix. And got $800 bounty😍 with 10 bugcrowd submission point❤

Hope you enjoy this writeup😍 and do follow on Facebook and twitter ,

Also keep in mind Allah is great. Allah can do anything so pray and shine.

Thanks for comming ❤ i will see you next time😍