How I earned my first bounty.
Greetings to all the amazing hackers out there. I am Shubham Ghosh, a Penetration Tester, and newbie in the world of the bug bounty from Jharkhand, India. This is my first write-up so please pardon me for all the grammatical mistakes.
I consider myself lucky to get my first valid bug just after 4 duplicates. I never gave up or got demotivated because I knew all the bugs I submitted were valid, it's just that somebody reported them before me.
Without wasting more time let's jump into the bug. Let's assume the target to be target.com as I can’t disclose the actual target due to certain reasons. The web application had a signup page and there was a captcha implementation to not allow bots to spam the application by creating accounts. Seeing this I thought of doing the traditional captcha bypass. I quickly filled in the signup form, did the captcha, and intercepted the traffic on burpsuite. The request looked like the below screenshot.
I quickly removed the g-recaptcha-response={value} and forwarded the request and boom I was able to create the account without validating the captcha. The issue was there on the server side where no validation was there for this g-recaptcha-response parameter.
The above screenshot is the manipulated request which I had sent to the repeater and changed values and tried to create a different account without the captcha and I was successfully able to do so. I quickly wrote a report and sent it to the company. Now comes the fun part, I got a reply that this issue basically falls under DOS which is out-of-scope still they had accepted it as a valid issue and decided to fix it and even provide me with a bounty also. That was a next-level feeling as it was the first bounty I earned.
Also to add this is a low severity bug, you can add in your checklist and check for them in applications having captcha implementation in various places. Hope I could add some value to you all with this write-up.
Until next time. Peace.