How I earn 750$ with Out of Scope (ClickJacking) on HackerOne :D

Hey everyone, I’d like to share how I found a stupid misconfiguration (No password confirmation on account Delete functionality) and relate it with Clickjacking. I was looking for something to hunt meanwhile I got a new invite on HackerOne. I express like wow, it’s time to earn something with low hanging. I always try to find Low Hanging, I have a small list of Low Hanging Issues that can test everywhere no information required about the target. I always attempt before going to recon.
No password confirmation on account Delete functionality is also somewhere in my testing list, the only reason existence of this issue in my list, it’s mostly triaged in BugCrowd. Hahaha

I found it on a private program so the policy is not allowing me to disclose the program name. When I visited the program I didn’t get anything of my testing list but when I create an account and visited My Profile I found account delete functionality, accidentally I trigger the button and shit account deleted.
I’m so lazy like an Alligator to create another again so close the target (Generally like “Kaun Mennat Kare”) and go to watch Youtube stuff.

Next day, I created an account again tried to find privileges and IDOR issues but didn’t get anything. I knew that the discussing issue will surely be addressed as N/A. I though like let’s make a forge game page having a button to Start so when the Victim clicks on that button his/her account will be wiped out.

I create an HTML game page having a button and write a simple report.

Image result for upset funny

They marked it as N/A 4 times because of Clickjacking and No password confirmation generally out of scope in the Managed program. In the last comment before locking the Submission, I attached a POC showing the real impact of the reported issue. They again mark it as N/A 5 times and locked the submission.


After 3 days HackerOneStaff unlocks the submission and mark it as Triaged.

Bingo!!!! After one month 750$ credited.

Thanks for Reading!

Shahrukh Rafeeq

I'm an Entrepreneur, Freelance Security Consultant, Bug Hunter having years of experience with a deep interest in InfoSec Industry. I love to speak and write about web and mobile application pen-testing, bug bounty. You can reach me at

3 thoughts on “How I earn 750$ with Out of Scope (ClickJacking) on HackerOne :D

  • November 24, 2019 at 6:02 pm
    Permalink

    Can you share Your low findings list…so that it will be helpful for beginners

    Reply

Leave a Reply

Your email address will not be published.