This post is a sharing of how I earn USD1,250 bounty by spending just 30 minutes in a new target. The target is a private program in hackerone. So, I am not allowed to disclose anything about the target. So, let’s use redacted.com as the name of the target.
When approaching a new target, I have always been testing the application’s function first before fuzzing for other subdomains and directories. And within all the functions, I always test on account related functions first such as user registration, changing contact email, password reset etc. Because if bugs…