Story of my first bounty by a low hanging fruit

Hello People🙌,

In this write-up, I’m going to tell how I ended up getting $100🤑 on a Responsible Disclosure Program.

My name is Hemanth Reddy (Liferacer333). I am a Security Researcher and Bug Bounty Hunter from India. This is my first write-up so if there are any mistakes in this write-up please let me know.

I was Hunting on a Responsible Disclosure Program let's call it target.com. I started with the Recon phase and I’m Interested in finding SSRF vulnerabilities so I have started looking for SSRF issues but I didn't found any. Later I tried to find many vulnerabilities like Sqli, XSS, IDOR, and Business Logic vulnerabilities but I didn't found anything I was frustrated……

After hunting for a couple of hours I thought why not try some Low hanging fruits like Password reset issues, SPF, DMARC related vulnerabilities and Luckily I found a Clickjacking Vulnerability on the target domain (target.com).

What is Clickjacking Vulnerability?

Clickjacking

According to Wikipedia: “ Clickjacking (classified as a user interface redress attack or UI redressing) is a malicious technique of tricking a user into clicking on something different from what the user perceives, thus potentially revealing confidential information or allowing others to take control of their computer while clicking on seemingly innocuous objects, including web pages.”

What is the Impact of Vulnerability?

Impact:

Users are tricked into performing all sorts of unintended actions are such as typing in the password, clicking on the ‘Delete my account’ button, liking a post, deleting a post, commenting on a blog. In other words, all the actions that a normal user can do on a legitimate website can be done using clickjacking.

Mitigation:

In order to fix the issue, we must know the underlying reason that is causing the issue. Clickjacking is caused due to allowing permission to a third-party website to embed the vulnerable site using Iframe. Disallowing this can be done by setting HTTP headers that direct the browser to not allow the target website to be iframed. This can be done by configuring the server on the following two response headers: X-Frame-Options & Content-Security-Policy.

You can also use the online tools which are mentioned below to test the Clickjacking Vulnerability.

Quickjack - samy kamkar

Clickjacking Tool | Test | UI Redressing

AppSec - Online Attacker Tools

message from the target organization

Bounty:1 ($100 USD)

#Timeline:

Submitted: 23 Oct-2020

Accepted: 25 Oct-2020

Bounty Received: 10 Dec-2020

And Luckily my second Bounty is also by Clickjacking vulnerability😂which I received €75 in BTC.

Bounty:2 (€75 paid in BTC)

message from the 2nd organization

Most of the bug bounty hunters leave these low-hanging fruits and they directly jump into looking for high severity bugs and sometimes they don't find anything and at last, they will be frustrated. So hunting for low hanging bugs is a worth try!!

Have patience and don’t get frustrated if you haven’t got anything, just keep learning and keep focusing. Patience is the key!

Thanks for Reading😊❤️.

Profile Links:

Linkedin: https://www.linkedin.com/in/hemanth-reddy-51b357191

Twitter: liferacer333

Instagram: liferacer333

Blog Link: https://liferacer333.blogspot.com