How I find My first Critical Bug Worth $2500–5000
You’ve also seen IDOR leads to account takeover and think that it’s just luck that man/women found that bug right? But let me tell you, it’s not luck, it’s the skill of looking everything carefully.
so without wasting any time lets start..
I was testing a program/Application target.com the site was made to manage collected money from the payment gateway.
So first I made an account and login with it. There has been a profile section as always :)
so set my burp proxy to see what is happening, I changed my username and intercepted the request in burp
There was a parameter “merchID”, interesting ryt?
So quickly made another account and replaced the “merchID” with my second account’s merchID and BOOM!! I got 200 Ok and the other account details were changed ;)
Then I changed email. At that time I was thinking now how I can find password for that account, and suddenly I got a basic Idea Forgot Password.
So I requested forgot password for new email and I got the password for victim’s account (other account of mine).
Simple ryt?
If you like my write-up make sure you gave me a clap.
and follow me and my guruji @ instagram
ME : https://www.instagram.com/sarans0x00h/
MY bug hunting guide : https://instagram.com/sachin_kalkumbe