New 100$ Bug in My Methodology!
New Bug Type for me! One day, I decided to start hunting on a new program. I’m new in bug hunting (over 1 year), and in the past, I was scared of public programs because I said, ‘Hey Ram, this program is public and many hackers are working on it.’ But this time was different. I believed in myself and said, ‘Just enjoy the program and test it! It isn’t important if you don’t find anything.’ My friend, please just search for knowledge! One problem with new bug hunters like me is that they just search for money in programs. This mindset can destroy you. You must play with different sections of the application and enjoy it! Think like a real hacker; think about hacking, not just finding and reporting bugs! What’s a Bug? I started by playing with the application, testing everything, and trying to find abnormal application behavior. While I was testing different sections of the app, I opened a special section: Invite Member! The invite member system is a normal section in every program, but something was unusual about this invite member system, and it was the first name section! Hmm, this means I can set the name for other users. At first, I thought this user name was only for the invite section, but after testing, I saw that after inviting the user, this first name and last name were set in site for him/her. I know it’s incredible, but anyone can set a first name and last name for you if you don’t register in the system, and this happened in a famous public app! It wasn’t a bug, but this behavior was uncommon, and I think to find a bug through this creativity 🙂 I invited some users via email, but I entered special characters in the first name and last name fields. Guess what 😂! Because the user’s first name and last name were abnormal, they could no longer register with that email! So, I could effectively disable any email in the system by injecting special characters into their first name. Imagine you don’t register on this site. In the invite section, I write your email, but in the first name section, I put a special character. After that, an invite email is sent to your email. If you try to register on the site or use the forgot password feature, you can’t! And I blocked you from using this site 🙂 SO: 1- Every time inject payload into the first name or last name fields (XSS, CSTI, etc.). 2- Finding abnormal application behavior 3- Hacking for the sake of hacking, not for money