Hello and welcome to my first bug bounty blog post! I’m excited to share my experience with you all.
I used to give up on bug bounty programs after only 1–2 days, but I realized that I was missing out on potential discoveries by not diving deeper into the programs. So, I decided to challenge myself and spend seven days, at least 2–3 hours per day, on a program. This helped me to dive deeper into the program and led me to find a business logic error.
Let’s talk about the program. It’s an internet shop (for privacy let it be redacted.com) with many products and functions, but one function in particular caught my attention — the ability to set an appointment in a local store with a consultant. After choosing a store location and appointment time, you can reserve it and that time slot becomes unavailable.
Exploiting the Vulnerability:
To start, I launched Burp Suite and navigated to www.redacted.com/api/v1/create-appointment. After entering random values into the input fields, I turned on the interception and captured the POST request, as shown in the screenshot below:
As you can see, there are “appointment-date” and “appointment-time” fields that can be changed and submitted without any measures in place to prevent an attacker from automating the process. For example, an attacker could use Burp Suite Intruder to reserve all available appointments for several months or even a year.
Considering the potential risks, I wrote a report to the company and received a response that there was nothing they could do to prevent this issue, as it was a normal feature like signing up. I replied by explaining that this vulnerability could make the appointment feature useless and suggested several ways to prevent it, such as limiting users to only one appointment, adding a CAPTCHA, and sending email confirmations. After further discussion, the company agreed with my assessment and rewarded me with a $60 bounty 🤑
In conclusion, dedicating at least a week to one bug bounty program can lead to the discovery of new vulnerabilities, even if you think you already know everything about it. Additionally, if a company marks your report as “informative,” don’t give up — make sure to provide clear and thorough arguments in your response to help them understand the severity of the issue.
If you found this blog post helpful or informative, please consider showing your support by giving it a clap. Also, be sure to subscribe for more bug bounty updates and tips in the future. Thank you for reading ❤️️