Starting Bug Bounty ? | Bug Bounty Resources

Hey all ūüôā

this post is not about any of my findings, its about resources for the bug bounties for learners, no matter you are starting or experienced, there is always something to learn from others. 

and if you are just starting into bug bounty then surly its going to be helpful post, and some kind of necessary to do as nowadays seen many new guys starting bug bounty by seeing that $$, its good that you want to make $$ from it but before that you should understand the process , quality and report writing which will help you to make more $$, so its better to understand 1st and then go for it.

so here am going to add some links which have lots of info’s,¬†resources,¬†writeups¬†about¬†i was talking before.

apart from this, here is some GitHub projects which maintaining this huge list of categorized writeups, links for blogs of frequent & successful bug hunters.

all the resources are originally shared by HackerOne, BugCrowd, Jack, Philippe, Alphr, Chan Ngai Long, Dheeraj Joshi

hope it will be useful.



Uber | Exploiting Stored URL Redirect in Password Reset Token

Hello Friends !

while trying my luck with Uber¬†i came a cross a wired behaviors in the¬†application which is not very common in today’s world.

i was messing around with password reset token generation of Uber, while requesting for password reset link i appended some known get parameter with password reset request which i was noticed before while checking for URL redirect issues in there oauth implementation.

it was NEXT parameter which is responsible for next URL or page after successful login.

so now come to password reset page, normally Uber password reset page URL looks like : https://login.uber.com/forgot-password , where crafted URL looks like : https://login.uber.com/forgot-password?source=auth&next_url=evil.com .

so once users will request password reset token via crafted link , user will get password reset token and once user set his new password, user will redirected to evil.com.

its a bug but as we know Uber don’t accept URL redirect issue until and¬†unless¬†there is something special, as URL redirect take place while password reset, i need to take advantage¬†of it.

i made a form which looks like same as Uber form which ask for Confirm Password after user sets his New Password which looks like :


i used data: scheme to make sure it looks more legit instead of using any direct URL.

so now the scenario is :

  • Attacker will request password reset token via crafted Link.
  • Let’s assume user reset his password via reset link.
  • User will set & confirm the new password.
  • Attacker will get users new password.

as we can see its not win-win case , still we need to depend on the user if he choose to reset his account or not, but still it may happens and in that situation attacker will get password of users account, so Uber decided to fix it once i reported , and they were very quick to acknowledge the report, i will suggest to participate in Uber bug bounty program .

Here is the Video POC :

HackerOne Report Thread #163067


Hijacking tons of Instapage expired users Domains & Subdomains

Hello all ūüôā

so this post is about how I¬†was able to hijack ton’s of domains/subdomains who using Instapage if¬†there service got expired.

What is instapage ?

Instapage is a service that lets you build landing pages for your online marketing and promotion campaigns with ease. It offers features such as A/B Testing, multiple campaign management, easy page building, and a lot more!

it also allows users to map its template on there own domain or subdomains.

How i found it ?

as am one of researchers from HackerOne platform , I was trying to get something on HackerOne itself as I want that Hacking Hackers Badge of my profile.

I found hacker.one is inscope domain list which is one of the officail website of HackerOne, and when I vistied it and seen some error which caught in my eye and after figuring it, I come to know it was Instapage error which occurs when service get expired or domain or subdoamin not linked properly and it takes just few mintues to figurte it out that I can publish my own template to any of misconfigured and expired domains/subdomains of instapage and luckly HackerOne is one of there users.

Instapage error on Hacker.One :



Vulnerable Post Request :

POST /ajax/builder2/publish/2340488 HTTP/1.1
Host: app.instapage.com
User-Agent: Mozilla/5.0 (Windows NT 6.3; rv:36.0) Gecko/20100101 Firefox/36.04
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Referer: http://app.instapage.com/builder2?id=2340488
Content-Length: 31
Cookie: cookie_value
Connection: close


where url parameter value contain vulnerable domains .

Hacker.One domain Takeover : 



Here is the Video POC :

and with help of Google dork and error of instapage I found tons of websites are Vulnerable for this and anyone can takeover it with own content on it, I contacted Instapage via HackerOne.

HackerOne fixed it next of report by removing the cname entry pointing to instapage and later Instapage fixed in completely and got confirmation of fix via HackerOne report thread.

Thanks to HackerOne to being a mediator for contacting Instapage and fixing the things in correct way.

HackerOne report thread : #159156