I felt like there were no more bugs left after winning € 2000 … But an email worth €750 changed my mind
Introduction
Hello amazing hacker, i hope you are doing well! Today i am going to tell you the story of how i completely exhausted my target … and then some. Not only did i already receive € 2000 from this target in various medium vulnerabilities that i reported, i managed to grab even more after i had already fully tested the program. Here’s how i did it.
The beginning
This was a target i loved right from the start, it had all the functionality that i loved and seemed tailored made for me. I started up burp suite, set up my scope and started clicking around.
The more i saw, the more i fell in love with this target. It started out with my target asking me if i wanted to invite other people into my organization. Whenever a target asks me this, my spidey senses go tingling. This is usually a sign that there is Broken Access Control (BAC) possible or at the very least multiple ways of testing for IDORs.
I got to work in creating two companies, we will call them “Yoogle” and “Gahoo” to make things easy, but these are just for example and were not my actual targets of course, nor were the companies that inpsired their named. My target was heavily centered…
