This is a great post on bug bounty reddit! OP reported an IDOR, gets paid $2,000, and then realizes it never was IDOR. It's just a cached response... - ThreadSky

About ThreadSky

liveoverflow.bsky.social • 44 days ago

This is a great post on bug bounty reddit!

OP reported an IDOR, gets paid $2,000, and then realizes it never was IDOR. It's just a cached response...

Comments

testalways.bsky.social•40 days ago

Bug bounty is a social affair not technical

0xkratos.bsky.social•42 days ago

Be like OP.

liveoverflow.bsky.social•44 days ago

Those are the real bug bounty tricks nobody talks about :P Faking bugs!!!

Jokes aside, that's not the end of the story!
A fellow hunter asks some clarifying questions. Browser cache? Server side cache? Or maybe even a service worker?

liveoverflow.bsky.social•44 days ago

OP clarifies it's not the browser cache. Server-side cache would still be exploitable, right?

But no... OP explains that it's not exploitable, because an attacker cannot guess the random cache key parameter :(

liveoverflow.bsky.social•44 days ago

This is the kind of issue where you need to change your perspective. If you are stuck with "we as the attacker want to directly access cached data", you will miss the obvious.

Turns out, we can control the cache parameter, by forcing the victim to visit the link with our value!!

liveoverflow.bsky.social•44 days ago

This was really a good conversation!

1. OP is capable to self-reflect and be humble
2. Commenters are knowledgable and they asked the right questions
3. And OP genuinely engaged with the responses

Source: https://www.reddit.com/r/bugbounty/comments/1i8dbi1/should_i_refund_the_payment_for_my_report/

blotz.dev•43 days ago

Respect for coming out with it! I would have been mortified if I found out I submitted a false bug

Posting Rules

Be respectful to others
No spam or self-promotion
Stay on topic
Follow Bluesky's terms of service

Comments

Posting Rules

Reply