My first bug bounty- A simple CAPTHCA bypass
In this article, I am going to write a brief story on how I found my first bug in a bug bounty program.
I am not allowed to disclose the name of the company or the website that was hosted on the bug bounty program, so I will call the company XYZ and the website, XYZ.com.
This company had hosted its website in BugCrowd. I remember spending hours on this website with multiple pentesting tools like BurpSuite, Zed Proxy etc., hoping to magically find a bug without digging deep. During my bug hunting period, reading the write-ups of other bug bounty hunters proved to be very resourceful and I noticed that almost all of them rarely used more than two or three tools for bug hunting. The more I read these write-ups, the more I was convinced that I was wasting my time with these tools.
I changed my strategy and thought about listing the attack surfaces and proceeding from there. From there, it didn’t take me long to stumble upon a web page to send a ‘forgot password’ request to your email. It had a captcha above the submit button and until you verify that you are a human, the submit button was blocked.
That moment for me felt somewhat like déjà vu because I had read something about bypassing captcha in someone else’s write-up. I started inspecting the html element for the submit button and found an attribute called ‘disabled’. I just removed it, after which I was able to click on the submit button. On clicking on the submit button, the captcha was bypassed and I was able to send a password recovery message to my email.
I quickly made a report. While making the report, I was nervous because I felt that the bug that I found was hardly a security flaw and it was my first time that I was submitting a report. But I went on with it anyway.
After two days, I heard from the company saying that my bug had been accepted and I was awarded some points, which wasn’t much since it didn’t have any serious security impact.
As for me I was just happy since this was my first successful bug report and it felt like a good start.
