How did I earned 6000$ from tokens and scopes in one day

Share on facebook
Share on twitter
Share on linkedin
Share on reddit
Share on email

I don’t do bug bounty quite often because it’s very hard to find something interesting and to be the first reporter… but the other day was different.

I opened my email and saw an invitation for a private Hackerone program. I took a look at it and the bounties were attractive so I said why not?

FIRST STAGE ( Recon )

Scope was very reduced, only two hosts:

api.company.comapp.company.com

I created an account and then I started to sniff my traffic with Burp, first look revealed that they were using Auth0 for handling authentication, Express.JS for the web and JWT for sessions.

First thing I tried was to change the alg of JWT to none and then impersonate some employee but that its too obviously. None is not an algorithm valid said an error message.

One feature of the application is you can invite users to a group and then change their account’s privileges/scopes.

At that point I was very focused on gain privileges and escalate my account to employee. After reading thousands lines of javascript code

Read the article