Hey there, it’s been a while since I shared my first bug bounty story. You can check it out here if you’re interested.
The Story
I used to visit this coffee shop almost every week. Then, one day, just before heading back to my place, I had a thought: “Does this coffee shop have a website?” 🤔 So, I fired up Google to find out, and indeed, they did have one.
I clicked the link, and a sleek website appeared. I decided to check the website’s technology stack using Wappalyzer and discovered that it was built with Laravel. As you probably know, I didn’t want to waste my time trying to hack into the login panel, but there was something more intriguing: the Laravel registration page.
I opened the /register URL and found that the page was still active. This meant we could register as many times as we wanted, with the hope that by doing so, we might gain admin privileges on the site. As it turned out, I was right. After registering, I navigated to the login page, and boom, I could log in with my credentials and became an admin.
Timeline
After discovering this, I tried to contact the owner, but as of now, I haven’t received any response. Consequently, I can’t show the admin panel and other details, as the site remains vulnerable.
Moral of the story
- Well, there isn’t much of a moral here — it’s just a registration page. 😄 But anyway, you get the idea, right? 🤫 Always check that page, and KEEP HACKING! 🔥
