Story of my first bounty: XSS

the_unlucky_guy
3 min readNov 23, 2020

Hello everyone,

Today I am going to share how I got my first bounty. This is my first bug bounty write-up so, pardon me for my mistakes. A bit of introduction about me I am vijeta a student and part-time bug bounty hunter. I started bug hunting in November 2019. It’s hard to manage academics and bug hunt both at least for me. So I used to spend some time in learning web security stuff and in remaining hunting for bugs.

In month of November 2019 and December 2019, I got some Valid submissions on some of the point-based programs on Bugcrowd. After 2 months I was a bit frustrated because I haven’t received a bounty yet so, on January 12, 2020, I ping my friend and ask for a reward-based VDP. He suggested me to hunt on DJI. I quickly move to the DJI VDP policy page and read it properly.

In beginning, I don’t know too much about recon so my methodology is simple. I enumerate subdomains for target, filter all live subdomains, and then started looking at each website one by one and dig into it to find low hanging fruits like Open redirect, Session related bug, XSS, etc. So, I simply use virustotal to enumerate all subdomains of *.dji.com. I got a penalty of subdomains. I filter all the live subdomains from it by using the httprobe tool. After exploring some subdomains of dji.com. I picked m.dji.com and there is a search bar so, i put simple XSS payload: <script>alert(1)</script>. XSS payload is reflecting but no pop up for me.

After that i simply put a text test123> in search bar and test123> is reflecting on site without encoding so, i looked for reflection in source code. I notice that test123> is in <h3> header. So i balanced it. My final payload is : “</h3><img src=x onerror=javascript:alert(document.domain)>

Yaay, I got the XSS popup. I was happy but also a fear of duplicate. I quickly submitted the report to them.

After 2 days, I got a reply from the dji security team and the bug is accepted as low risk. Also, they listed my name in the Hall of fame.

Timeline:

January 12, 2020 — Reported

January 14, 2020 — Triaged and fixed within 2 hrs.

February 8, 2020— Bounty of $100 awarded.

I will write more of my findings soon so, stay tuned for my next write-up.

Twitter: 7he_unlucky_guy

--

--