The latest articles on DEV Community by Bilal Khan (@bilalmerokhel). https://dev.to/bilalmerokhel https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F116528%2F5726aae5-ea1c-4590-bbb5-31b9e66902c5.jpg https://dev.to/bilalmerokhel en Bilal Khan Tue, 09 Jul 2019 06:28:14 +0000 https://dev.to/bilalmerokhel/the-bug-which-worth-2k-48cm https://dev.to/bilalmerokhel/the-bug-which-worth-2k-48cm <p>I was testing around a public program on <a href="https://www.bugcrowd.com">Bugcrowd</a>. The program does not allow public disclosure so I will call it <strong>redacted.com</strong>, it was public for about 7 years and lots of 1337 (<em>1337 =&gt; hackers</em>) have tried it for security vulnerabilities, so I was testing around and was so frustrated, as those were my starting days. Being frustrated I took a break and thought what am I doing I revert back the 1337 methodology which is <strong>try harder</strong>. I took a break and got to sleep after waking up I realize a request which was fetching my saved items so I immediately turn my laptop on and started looking for the request by capturing the request with <a href="https://portswigger.net">BurSuit</a> so, there was a request which retrieved my saved items and it was sent via <a href="https://graphql.org">GraphQL</a> to the server after entering a semicolon to the saved <code>saved_items_id</code> got the <code>SQL syntax error</code>. After reporting the issue within a week got 2k$ bounty and an immediate fix was applied to the endpoint<br> </p> <blockquote class="ltag__twitter-tweet"> <div class="ltag__twitter-tweet__media"> <img src="https://res.cloudinary.com/practicaldev/image/fetch/s--7nG19JCX--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_880/https://pbs.twimg.com/media/Dz60yFBXgAAtRD-.jpg" alt="unknown tweet media content"> </div> <div class="ltag__twitter-tweet__main"> <div class="ltag__twitter-tweet__header"> <img class="ltag__twitter-tweet__profile-image" src="https://res.cloudinary.com/practicaldev/image/fetch/s--Bi_LshcD--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_880/https://pbs.twimg.com/profile_images/846258588863512576/XcMcQseC_normal.jpg" alt="🇵🇰 profile image"> <div class="ltag__twitter-tweet__full-name"> 🇵🇰 </div> <div class="ltag__twitter-tweet__username"> @this_rex </div> <div class="ltag__twitter-tweet__twitter-logo"> <img src="https://res.cloudinary.com/practicaldev/image/fetch/s--P4t6ys1m--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_880/https://practicaldev-herokuapp-com.freetls.fastly.net/assets/twitter-f95605061196010f91e64806688390eb1a4dbc9e913682e043eb8b1e06ca484f.svg" alt="twitter logo"> </div> </div> <div class="ltag__twitter-tweet__body"> I earned💲2000 for my submission on <a href="https://twitter.com/Bugcrowd">@Bugcrowd</a> <a href="https://t.co/6YwomSKPDU">bugcrowd.com/bilalkhan</a> <a href="https://twitter.com/hashtag/bugbounty">#bugbounty</a> <a href="https://twitter.com/hashtag/ItTakesACrowd">#ItTakesACrowd</a> </div> <div class="ltag__twitter-tweet__date"> 09:25 AM - 21 Feb 2019 </div> <div class="ltag__twitter-tweet__actions"> <a href="https://twitter.com/intent/tweet?in_reply_to=1098514139176226816" class="ltag__twitter-tweet__actions__button"> <img src="/assets/twitter-reply-action.svg" alt="Twitter reply action"> </a> <a href="https://twitter.com/intent/retweet?tweet_id=1098514139176226816" class="ltag__twitter-tweet__actions__button"> <img src="/assets/twitter-retweet-action.svg" alt="Twitter retweet action"> </a> 2 <a href="https://twitter.com/intent/like?tweet_id=1098514139176226816" class="ltag__twitter-tweet__actions__button"> <img src="/assets/twitter-like-action.svg" alt="Twitter like action"> </a> 15 </div> </div> </blockquote> security api graphql sql