My Bug Bounty Journey

Posted on by Isira Adithya

> Whoami

Hi πŸ‘‹

I am Isira Adithya and I am a 17 years old researcher from Sri-Lanka.
Currently, Studying at Bandarawela Central College, Bandarawela.

I have a developer background (Javascript, PHP, Python, Dart, etc), When I was 13 I started developing applications in VB.Net. Since, Then I loved developing apps and other stuff like (Prank Malwares, Batch scripts, USB Viruses). Just for fun and to prank my friends.

How I got to Cyber Security

As a little kid back in the day, I was a heavy gamer with a 2GB ram. πŸ˜‚
There are some missions that I cannot pass/finish without a mouse. Since I was using a Laptop, I had to use the touchpad to play games.
So, The solution was the Cheat Engine. I think you all heard about that.
I hacked every single game with that, and even hacked some softwares too. It is a πŸ‘Œ tool.

Then, We got a smart television to our home and It needs a Wi-Fi network to work.
I was so eager to hack into that just like in movies 😎.
Then, I installed Kali Linux without knowing anything about it and crashed my laptop too. (Whole Hard disk was corrupted πŸ˜…, and lost lots of our family photos. My father and mother was not happy about that still)

After, some googling I came across this NMAP tool and I scanned the television via this. I found some open ports and decided to attack with XERXES. And, the Television was completely stuck and didn't responded back. I had to restart it. This is another win for me, I was able to turn off the television with my laptop whenever my brother and sister don't gave me the remote. 😈

Certificates

Nothing for now. πŸ˜…

> Learning Materials

Tryhackme and Hackthebox

When It comes to my learning resources, TryHackMe and HackTheBox are some of the greatest teachers for me.

  1. TryHackMe - tryhackme.com
  2. Hackthebox - hackthebox.eu

I addicted to CTF back in the day, It was so much fun for me.
Both platforms gave me a very entertaining experience while learning.
Make sure to try those platforms if you are a beginner in cyber security. (I think you already registered it. No need to introduce this. πŸ˜…)
I agree that these platforms are more into penetration testing, but this knowledge will come in handy sometimes. πŸ˜‰

So, Thanks a lot Tryhackme and Hackthebox.

Portswigger's Web Security Academy

This is so far the best resource to learn about web security in my opinion. πŸ‘ŒπŸ‘Œ
This guides you with in-depth tutorials and it gives learning labs for free too.
Further more,

  1. XSS Cheatsheet
  2. PortSwigger Research

Check out those too.

Youtube Channels

Theses are the youtube channels I follow,

  1. InsiderPHD - Very Well Detailed Presentations about various bug types and overall πŸ‘Œ (She is the one who introduced me to Intigriti, I saw the sponser message every day and then gave it a try. πŸ‘Œ)
  2. PwnFunction - This guy will give you the most simplest explanation of any bug within 10 mins of his videos. I really like his presentation methods and the drawing. πŸ‘Œ
  3. Liveoverflow - Very Very deep explanations and very advanced topics about InfoSec (I used to watch his videos, even I don't understand a word back in the day)
  4. Bug Reports Explained - Explaining some of the most advanced bug reports on the info sec world with simplest way possible. I found his channel, When I was struggling to understand what is HTTP Request Smuggling
  5. Codingo - Super useful information from the manager of the triage team BugCrowd
  6. STΓ–K - More about Bug Bounty Life Style and other stuff.
  7. Nahamsec - Live Streams, Tutorials and Lot of useful things about Recon.
  8. Farah hawa - Some really cool tutorials. I learnt about graphql from this channel
  9. Intigriti's Hacker Tools and Hacker Heros - This is a upcoming channel, and It is featuring about hacking tools, and interviewing some great hackers.
  10. John Hammond - A Master when it comes to pentestng, I really like to watch his videos about CTF

Other websites

  1. Hackerone - Hacktivity - Realworld bug reports by various hackers in the world.
  2. HackTricks - A Super useful Vulnerability Notebook
  3. Bug Bounty Tips by @gowsundar - Collection of bug bounty tips by top researchers.
  4. Bug Bounty Writeups - Pentester Labs - Very organized list of bug reports, useful when you need to read about a specific vulnerability.
  5. Zseano's Methodology - Methodology of a Legendary Researcher
  6. Intigriti - BugBytes NewsLetter - Intigriti will keep you updated with the latest news,tip,methods on the InfoSec commnity.
  7. Bug Reports explained Newsletter by @grexsunday - If you want some advanced and more intermediate resources, then this is a good newsletter.

Timeline

  1. 2021/03/26 - Found the solution to the Intigriti 0321 XSS Challenge
    Solution-Found
    After, 5 days of trying, I found the solution. This was a crazy moment for me, This is the first time I ever came across the XSS
  2. 2021/03/29 - I won the Intigriti 0321 XSS Challenge
    Getting-the-voucher
    After, found out that I won, I thought I am good at xss at least πŸ˜…. So, I watched every single youtube video about xss and I started reading through the Hackerone's Hacktivity about XSS
  3. 2021/04/06 - Reported my first valid bug
    First Report
    I got my first private invitation in intigriti and I thought it is something very rarely happens and started digging into the web application. After about 3 days of trying came across reflected XSS. This time, I got paid 150 EUROS, It is about 35,000/- in our currency(Srilankan Rupees). It is the monthly income of my father and everyone in family was amazed about this. 😎
  4. 2021/04/11 - Got Stored XSS on the same private program
    Stored-XSS
    I wasn't able to get XSS right away, So I reported HTML Injection and went to bed at late late night. Next, morning I decided to read about ASP WAF Bypass and Finally found a way to escalate the bug to XSS. That's why there is a bonus. 😊
  5. 2021/05/19 - Registered to Hackerone, And started hunting there too
    I was hunting only XSS at the time, I never tried to find any other vulnerability like CSRF,SSRF,RCE etc. Because of that, I wasn't able to find a single valid bug since 2021/04/11, after I started with hackerone, I started to learn more bugs via Portswigger's Web Security Academy.
  6. 2021/05/21 - 2021/06/10 - Reported various bugs to Hackerone
    GraphQL
    CSRF
  7. 2021/06/09 - Found a High Severity bug on a big company
    Unknown-LOL
    This was resolved within 7 hours, even before hackerone triage team reaches. This was a super exciting bug for me and this bug is not documented anywhere. Basically, I was able to takeover an subdomain in use.(Varnish Cache Server Misconfiguration)
  8. 2021/07/13 - Got to the 5# in the Intigriti Last 30 days Leaderboard
    Leaderboard

How It Started - 2021/04/06

Old
This is my old laptop with 2GB ram and 1.80Ghz i3 3rd gen
After, Getting first 2 bounties I got a new workstation

How It is going - -2021/07/15

New
This is a dream workstation for me, never imagined I would get to this.

Fails - (N/A, Out-of-scope)

My reports are not 100% perfect, I did some bad mistakes too.
But, Everyday, I learnt a lesson from that.
I reported stuff like,

  1. Click Jacking on Login Pages
  2. Denial Of Service while I was just blocked by the WAF πŸ˜…
  3. Self XSS
  4. XSS executed within a SandBox Domain. Always use alert(document.domain) btw
  5. CSRF on non sensitive actions like adding a product to a victim's cart.

Contact Me

If you have any questions regarding this blog post or anything,
feel free to contact me at,

  1. Twitter
  2. Instagram
  3. LinkedIn
  4. Contact Page - Blog

Thanks a lot πŸ™

No comments yet

Leave a Reply