My First Experience with Bug Bounties

Screen show the characters XSS

Curiosity

Since a young age I have always had an interest in hacking. I learned a few years ago you could do it ethically too. But constant self-doubt kept me from pursuing it. A friend of mine, though, encouraged me to take a leap of faith – so I did.

As I explored various programs on HackerOne, I often felt lost. Each application harnessed different sets of technologies — Ruby, MongoDB, PHP, Javascript, etc — sometimes to tackle similar tasks. The sheer volume of code was overwhelming; I often struggled to make sense of it all without the help of ChatGPT. This cycle of confusion persisted day and night for nearly two months until, finally, I discovered my first bug.

Exploration

At this point, I had listened to several podcast episodes by Critical Thinking and read about how others approach different applications. As I explored this particular site though, I began by examining the application as I usually do. I took note of what I suspected could contain potential vulnerabilities. I didn’t expect much, having heard that very few people find their first bug, and even fewer manage to find bugs consistently.

Patience and The Discovery

I started with the first page that I thought might be vulnerable. After finding a way to store the HTMLi, I noticed it wasn’t working. But I remembered that sometimes special characters are converted into encoding types, so I inspected the page. This reminder came from reviewing Zseano’s methodology book. While examining the page, I noticed that regex was being handled on the client side, which I hadn’t considered much at the time—perhaps it shouldn’t have been there. Patience has kept me searching for any special characters that might be encoded. Eventually, I found one that was definitely being encoded to HTML: %3C. Now that I had made this discovery, I plugged it into my proxy tool to confirm my findings about the encoding.

The Feeling

Now, I clearly understood what was being filtered and how the filter operated. I decided to double-encode the special characters to see if that would work. Lo and behold, it did! I found my first vulnerability—though it was low-hanging fruit—filled me with an incredible rush. For the first time in a long while, I felt a deep sense of bliss once discovering this bug. I didn’t care about its impact; I had actually found a bug. However, I didn’t expect to receive a bounty after reporting it, and that became my next goal in the world of bug bounties.

Conclusion

From this experience, I’ve learned that bug bounties are an excellent way to start hacking real-world applications. They provide opportunities to understand potential vulnerabilities while also offering anyone the chance to earn some money. However, it’s crucial to focus on impact rather than merely ticking off tasks, which is something I initially did. By the way, the stored XSS bypass was the only bug I found in that program.