How a Duo of Students Hacked a Corporate Asset: A HackerOne Deep Dive + Video

Listen to this Post

Featured Image

Introduction:

In a compelling display of collaborative cybersecurity prowess, two students from Cyber Bangla Ltd., Md Shakibul Islam and axosolaman, successfully identified and reported a valid security vulnerability to a corporate entity on HackerOne. Their report was accepted and rewarded, highlighting the critical importance of structured learning, teamwork, and persistence in the field of ethical hacking. This article dissects the methodology likely used in such a collaboration, providing a technical roadmap for aspiring bug bounty hunters.

Learning Objectives:

  • Understand the workflow of a successful bug bounty collaboration on platforms like HackerOne.
  • Learn how to perform initial reconnaissance and vulnerability scanning using open-source tools.
  • Master the art of writing a professional, high-impact security report that gets accepted.
  • Identify common web application vulnerabilities and how to exploit them ethically.

You Should Know:

1. Phase 1: Reconnaissance and Asset Discovery

Before writing a single line of an exploit, a successful bug bounty hunter maps the terrain. The collaboration between Shakibul and axosolaman likely began with extensive reconnaissance. This involves identifying all subdomains, open ports, and running services of the target company.

Step‑by‑step guide to basic recon:

a) Subdomain Enumeration (Linux):

Use tools like `Sublist3r` and `Amass` to find hidden entry points.

 Install Sublist3r
git clone https://github.com/aboul3la/Sublist3r.git
cd Sublist3r
pip install -r requirements.txt

Run against target (replace example.com with the target domain)
python sublist3r.py -d example.com -o subdomains.txt

Use Amass for deeper enumeration
amass enum -d example.com -o amass_results.txt

b) Port Scanning with Nmap:

Once you have live hosts, identify which services are running.

 Scan the top 1000 ports of a discovered subdomain quickly
nmap -sV -sC -T4 subdomain.example.com -oN nmap_scan.txt

Scan for all ports (more thorough, but slower)
nmap -p- -sV subdomain.example.com -oN full_port_scan.txt

c) HTTP Service Probing (Windows – PowerShell):

Check which discovered hosts are running web servers.

 Read list of subdomains and check HTTP status codes
$subdomains = Get-Content .\subdomains.txt
foreach ($domain in $subdomains) {
try {
$response = Invoke-WebRequest -Uri "http://$domain" -TimeoutSec 5 -ErrorAction Stop
Write-Host "$domain - Status: $($response.StatusCode)"
} catch {
Write-Host "$domain - Failed"
}
}

2. Phase 2: Vulnerability Identification and Exploitation

After mapping the assets, the next step is to probe for weaknesses. This is where the technical expertise from their training at Cyber Bangla Ltd. came into play. They likely focused on OWASP Top 10 vulnerabilities. A common finding could be an IDOR (Insecure Direct Object Reference) or a Broken Access Control issue.

Scenario: Exploiting an IDOR in an API Endpoint

Imagine the target application has an API endpoint that displays user invoices. The normal request might look like this:

`GET /api/v1/user/invoice?invoice_id=12345`

Step‑by‑step guide to testing for IDOR:

a) Intercepting the Request:

Use a proxy tool like Burp Suite.

  1. Configure your browser to route traffic through Burp (127.0.0.1:8080).

2. Navigate to the invoice page.

  1. In Burp’s “Proxy” > “HTTP History,” find the request for the invoice.

b) Manipulating the Parameter (Linux/Windows – curl):

Send the request to Burp Repeater (Ctrl+R). Try to change the `invoice_id` to a different number, such as one belonging to another user.

 Original request (mocked)
curl -X GET "https://target.com/api/v1/user/invoice?invoice_id=12345" \
-H "Authorization: Bearer [bash]" \
-H "User-Agent: Mozilla/5.0"

Modified request attempting to access another user's invoice
curl -X GET "https://target.com/api/v1/user/invoice?invoice_id=54321" \
-H "Authorization: Bearer [bash]" \
-H "User-Agent: Mozilla/5.0"

If the API returns the data for invoice 54321, it is vulnerable to IDOR. A successful collaboration would involve one hunter finding the endpoint and the other confirming the exploit’s impact.

3. Phase 3: Writing the Professional Report

The acceptance of the report on HackerOne is the final and most crucial step. A vague report gets closed as “Informative.” A detailed, well-structured report gets a bounty.

Template for a High-Impact Bug Bounty Report:

1. Vulnerability Type: Insecure Direct Object Reference (IDOR)

  1. Affected Endpoint: `https://target.com/api/v1/user/invoice`
  2. Description: The application fails to verify if the authenticated user is authorized to view the invoice associated with the provided `invoice_id` parameter. This allows a malicious user to enumerate invoice IDs and view sensitive financial data of other platform users.

4. Steps to Reproduce:

Log in as User A.

Navigate to the “My Invoices” page and intercept the request for invoice `12345` using Burp Suite.
Change the `invoice_id` parameter from `12345` to `54321` and forward the request.
Observe that the response contains the full name, address, and purchase history of User B, confirming unauthorized access.
5. Proof of Concept (PoC): (Include a screenshot or a video clearly showing the request and the leaked data, with sensitive information redacted).
6. Impact: Unauthorized disclosure of Personally Identifiable Information (PII) and financial records, leading to privacy violations and potential fraud.
7. Recommended Fix: Implement server-side authorization checks. Ensure the `invoice_id` belongs to the user making the request before returning any data.

  1. Phase 4: Mitigation and Hardening (The Defender’s Perspective)
    Understanding how to fix the bug is as important as finding it. For the IDOR example, developers can implement a robust access control mechanism.

Code Snippet (Conceptual – Node.js/Express):

// Vulnerable Code
app.get('/api/user/invoice', (req, res) => {
const invoiceId = req.query.invoice_id;
// Directly fetches invoice without checking ownership
db.getInvoice(invoiceId).then(invoice => res.json(invoice));
});

// Mitigated Code
app.get('/api/user/invoice', (req, res) => {
const invoiceId = req.query.invoice_id;
const userIdFromSession = req.session.userId; // Get logged-in user

// Check if the invoice belongs to the logged-in user
db.checkInvoiceOwnership(invoiceId, userIdFromSession).then(isOwner => {
if (isOwner) {
db.getInvoice(invoiceId).then(invoice => res.json(invoice));
} else {
res.status(403).json({ error: 'Access Denied' });
}
});
});

This simple check prevents the horizontal privilege escalation vector.

What Undercode Say:

  • Teamwork Amplifies Impact: This collaboration proves that two minds are better than one in cybersecurity. While one researcher focuses on breadth (recon), the other can focus on depth (exploitation), leading to a more comprehensive and impactful finding.
  • Training is the Foundation: The acknowledgment of “Cyber Bangla Ltd.” and mentor Foysal Hossain underscores that structured education accelerates a hacker’s journey. It transforms raw talent into a disciplined methodology that corporate security teams trust.
  • Quality Reporting Wins Bounties: The acceptance of the report wasn’t just about finding a bug; it was about clearly communicating the risk to the company. A well-documented report with a clear business impact is what separates a duplicate finding from a paid one.

Prediction:

As bug bounty platforms become more crowded, collaboration will become a dominant strategy for success. We will likely see the rise of formalized “hacking duos” or small teams that combine web, mobile, and API expertise. Furthermore, the integration of AI-assisted code review tools will expedite the initial triage for hunters, allowing them to focus their manual testing efforts on complex, business-logic flaws like the one discovered by these two students. The future of bug hunting is collaborative, specialized, and deeply technical.

▶️ Related Video (82% Match):

🎯Let’s Practice For Free:

IT/Security Reporter URL:

Reported By: Md Shakibul – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow UndercodeTesting & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky