My First and easiest Bug i have found

Mohamed AboAlezz
3 min readNov 6, 2024

--

Hello everyone! I’m Mohamed AboAlezz, and welcome to my first write-up! 😄

As you’ve probably read from the title, this is my first valid bug discovery, and it might just be one of the easiest bugs you can find. Here’s how it all went down:

Getting Started in Bug Hunting

I was hunting on a program that we’ll call “redacted.com” for privacy. My journey into bug hunting began after more than 10 months of studying how to hunt and find bugs. However, I struggled initially. Why? Because I relied heavily on automation tools, which turned out to be a big mistake. Automation made it challenging to find unique, exploitable bugs.

Realizing this, I decided to switch to manual testing only, using just Burp Suite and my browser. And that change made all the difference. In my first month of manual testing alone, I managed to find 6 valid bugs on HackerOne and over 10 more bugs on self-hosted bug programs.

If you’d like to hear more about my bug-hunting journey, feel free to let me know in the comments. I’d love to share my experiences with you!

The Bug on Redacted.com

Back to redacted.com! While exploring the site, I noticed something interesting while intercepting requests in Burp Suite. When creating a new project, there were three options:

  1. Create with a Free plan
  2. Create with a Pro plan ($25 per month)
  3. Create with a Team plan ($600 per month)

If I clicked on the Pro or Team plan options, it redirected me to a purchase page. But here’s where it got interesting! I selected the Free plan and intercepted the request in Burp Suite. Then, I saw a parameter that looked like this:

"tier": "tier_free"

The Exploit

I decided to experiment by changing the tier parameter from:

"tier": "tier_free"

to:

"tier": "tier_pro"

or

"tier": "tier_team"

After modifying the request to tier_pro or tier_team and sending it, I was able to create projects with Pro and Team features for free! 🎉

This bug was triaged within a day and marked with medium severity. It was an awesome experience to have my first valid bug report accepted so quickly.

Key Takeaways and Recommendations

  • Manual testing often reveals bugs that automation may overlook. If you’re struggling to find your first bug, try stepping away from automation tools and get comfortable with Burp Suite or other intercepting tools.
  • Check all user-accessible parameters, especially those that control service tiers or feature levels. Sometimes, developers miss implementing proper server-side checks, which can lead to vulnerabilities like this one.
  • Stay curious and don’t be afraid to test small changes. A lot of the time, subtle tweaks to parameters can reveal underlying security issues.

Thank you for reading! 😊 If you enjoyed this write-up, hit the follow button to stay updated on my future posts. Happy hunting, and best of luck to everyone! ❤️

--

--

Responses (7)