200$ made in 20 Mintues

in #money6 years ago

This is the story about my fastest Bounty which I got on Hackerone Platform.This happened about 1 year ago ,when I got a Private Invite from Showmax. Program is now Public

Showmax

Showmax is an online subscription video on demand (SVOD) service which launched in South Africa on 19 August 2015.

Vulnerability

So As ususal I started Enumerating the Subdomains And Fired up Sublist3r.I got some domains and started testing them.

One domain that Caught my eye was SSO.showmax.com.

On sso.showmax.com there was only a login form.

When a user entered wrong logins he/she was shown a failure message.This message parameter was vulnerable to XSS and injection issues.

https://sso.showmax.com/auth/failure?message=PAYLOAD&strategy=ldap

showmax.PNG

TakeAways

~ Test every Parameter you get

Time-Line

May. 9, 2017 → Initial Report Sent on H1
May. 9, 2017  → Triage within 10 mins

May. 9, 2017   → Fixed within 10 mins
May. 9, 2017   → Bounty Awarded