top of page

My First Bug on VDP & BBP - Bug Bounty

Hello, Today I am going to share how and what I found my first bug on VDP and BBP.


For Those who Don't know what is VDP & BBP?

VDP:- Vulnerability Disclosure Programs are those programs that don't offer monetary rewards. Instead, they give public acknowledgments, reputation/points or Swags(like T-shirts, Hoodies, Stickers, etc.)

BBP:- Bug Bounty Programs are those programs that offer monetary rewards for reporting vulnerabilities.


Information Disclosure Bug - 1st Bug on VDP

I was a newbie on Hackerone and I chose Trint VDP program to Hunt and learn something new. At that time I knew only a few vulnerabilities like HTML Injection, XSS(Not properly) and Information disclosure. So after spending a few weeks, I found HTML Injection and email verification bypass by changing parameter value to "null" in Burpsuite. Both of the reports were closed as a duplicate. One day I was looking at all Burpsuite requests on their website, I tried removing the Authentication token from the request which returned me some errors from the application.

I saw private IP addresses in the response and I tried sending request again which gave me a different private IP address. I reported this and it was triaged. This gave me satisfaction and motivation to hunt more bugs on HackerOne so I went for BBP's.


Stored XSS - 1st Bug on BBP

At that time, the Smartsheet program was new and the scope was also good. So I started understanding their web application, they have so many features. After a few weeks, I understood their web application and started hunting. Found a few bugs like HTML injection, but they were closed as duplicate and informative. I had almost spent 2 months on this program and then I was thinking to give up. One day I thought let's start everything again from starting on this web application like registering accounts again with the "@wearehackerone.com" email alias. After email verification, it redirected me to a different page where I saw many XSS popups. I was redirected to this page because I have used the "@wearehackerone.com" alias in my email and there was a new feature released on Smartsheet. This feature allows same email alias users to join their organizations. So I was seeing the organization of other users on this page where they have used XSS payload. I quickly reported it and I thought it would go duplicate.

After a few hours, it was triaged and I was the first person to notice this new feature. It was a lucky day for me because it was not my payload which is executing, it was other hacker's payloads.


So that's all for today!

Happy Hacking!

1,278 views0 comments
bottom of page