How I find My first Critical Bug Worth $2500–5000

You’ve also seen IDOR leads to account takeover and think that it’s just luck that man/women found that bug right? But let me tell you, it’s not luck, it’s the skill of looking everything carefully.

so without wasting any time lets start..

I was testing a program/Application target.com the site was made to manage collected money from the payment gateway.

So first I made an account and login with it. There has been a profile section as always :)

so set my burp proxy to see what is happening, I changed my username and intercepted the request in burp

There was a parameter “merchID”, interesting ryt?

So quickly made another account and replaced the “merchID” with my second account’s merchID and BOOM!! I got 200 Ok and the other account details were changed ;)

Then I changed email. At that time I was thinking now how I can find password for that account, and suddenly I got a basic Idea Forgot Password.

So I requested forgot password for new email and I got the password for victim’s account (other account of mine).

Simple ryt?

If you like my write-up make sure you gave me a clap.

and follow me and my guruji @ instagram

ME : https://www.instagram.com/sarans0x00h/

MY bug hunting guide : https://instagram.com/sachin_kalkumbe