24 Dec 2022 around 12PM
I was going somewhere in the car, I get an email and as soon as I open it to delete it I see this
and i was like “WHAT!”
Full Story
I was checking one of the Android App of this program and after checking all the functiniliies I found nothing and before leaving it, I put SSTI payload in the First and Last Name of my Profile.
First Name : ${{7*7}}
Last Name : ${{7*'7'}}
Some days later I got a mail from this company that says “Dear $49, We change our Terms and Privacy Policies…..”
After some research, I figured out that my second SSTI Payload got executed and as resulted I receive ‘$49’.
After reaching Home I created PoC video and collect all the necessory information andsubmit the report through Hackerone.
I also got awarded with the Highest Bounty amount out of all the bounties offered by that company.
This is story of My First P1 and paid Bug on h1. If you liked it please tell me something HERE.
Here is the Tip :
Whenever you leave a program after completing your hunting, put your payloads such as BXSS, SSTI etc. on all Input Fields. so you can earn bounties when it :
Timeline:
[24 Dec 2022] : Bug Submitted
[28 Dec 2022] : Add more info
[10 Jan 2023] : Rewarded $1000 for Severity P1
[15 Jan 2023] : Resolved