How I find My first Critical Bug Worth $2500–5000

Saransh Saraf aka (MR23R0)
2 min readNov 7, 2021

You’ve also seen IDOR leads to account takeover and think that it’s just luck that man/women found that bug right? But let me tell you, it’s not luck, it’s the skill of looking everything carefully.

so without wasting any time lets start..

I was testing a program/Application the site was made to manage collected money from the payment gateway.

So first I made an account and login with it. There has been a profile section as always :)

so set my burp proxy to see what is happening, I changed my username and intercepted the request in burp

There was a parameter “merchID”, interesting ryt?

So quickly made another account and replaced the “merchID” with my second account’s merchID and BOOM!! I got 200 Ok and the other account details were changed ;)

Then I changed email. At that time I was thinking now how I can find password for that account, and suddenly I got a basic Idea Forgot Password.

So I requested forgot password for new email and I got the password for victim’s account (other account of mine).

Simple ryt?

If you like my write-up make sure you gave me a clap.

and follow me and my guruji @ instagram

ME :

MY bug hunting guide :



Saransh Saraf aka (MR23R0)

Writer of all kind, Left medium exclusive free content can now only be found on