Hello, Today I am going to share how and what I found my first bug on VDP and BBP.
For Those who Don't know what is VDP & BBP?
VDP:- Vulnerability Disclosure Programs are those programs that don't offer monetary rewards. Instead, they give public acknowledgments, reputation/points or Swags(like T-shirts, Hoodies, Stickers, etc.)
BBP:- Bug Bounty Programs are those programs that offer monetary rewards for reporting vulnerabilities.
Information Disclosure Bug - 1st Bug on VDP
I was a newbie on Hackerone and I chose Trint VDP program to Hunt and learn something new. At that time I knew only a few vulnerabilities like HTML Injection, XSS(Not properly) and Information disclosure. So after spending a few weeks, I found HTML Injection and email verification bypass by changing parameter value to "null" in Burpsuite. Both of the reports were closed as a duplicate. One day I was looking at all Burpsuite requests on their website, I tried removing the Authentication token from the request which returned me some errors from the application.
I saw private IP addresses in the response and I tried sending request again which gave me a different private IP address. I reported this and it was triaged. This gave me satisfaction and motivation to hunt more bugs on HackerOne so I went for BBP's.
Stored XSS - 1st Bug on BBP
At that time, the Smartsheet program was new and the scope was also good. So I started understanding their web application, they have so many features. After a few weeks, I understood their web application and started hunting. Found a few bugs like HTML injection, but they were closed as duplicate and informative. I had almost spent 2 months on this program and then I was thinking to give up. One day I thought let's start everything again from starting on this web application like registering accounts again with the "@wearehackerone.com" email alias. After email verification, it redirected me to a different page where I saw many XSS popups. I was redirected to this page because I have used the "@wearehackerone.com" alias in my email and there was a new feature released on Smartsheet. This feature allows same email alias users to join their organizations. So I was seeing the organization of other users on this page where they have used XSS payload. I quickly reported it and I thought it would go duplicate.
After a few hours, it was triaged and I was the first person to notice this new feature. It was a lucky day for me because it was not my payload which is executing, it was other hacker's payloads.
So that's all for today!