🟩How I Found My First Bug Through Simple Fuzzing

Clicked, fuzzed, and boom—first bug! No $$$ though, it was a VDP

Hey Hackers, This’s mrhashimamin And today I’ll talk about the first bug i found on a Vulnerability Disclosure Program ( VDP ) on bugcrowd ( Let’s call it target.gov ).

What’s Fuzzing ?

In the world of bug hunting, it means sending a bunch of unexpected or random inputs to a web application to see how it reacts. It’s a bit like poking around in the dark and hoping you stumble upon something interesting. And sometimes, you find gold!

How i did it?

One night, a really good night, I decided to dive into bug hunting and get my feet wet instead of just studying. It was time to move beyond the books and put my skills to the test. So, I choosed Bugcrowd as my hunting ground.

After choosing a program, I started with the main subdomain ( it was a really small scope program ). First, I tried hard to find something good like XSS, SQL injection, or bypassing the admin panel, but sadly, I didn’t succeed :(

But what, Did i forget fuzzing?

Yeah i really forgot that. So i tried with ffuf using this awesome SecLists. You can find it here.

So, i simply ran this command:

ffuf -w /SecLists/Discovery/Web-Content/raft-large-files-lowercase.txt -u "https://www.target.gov/FUZZ" -fc 403

Sometime after running this command i got an interesting endpoint: https://www.target.gov/install.php with a status code of 200.

Going to this endpoint, I found myself face to face with a DRUPAL INSTALLATION PAGE, similar to the one below. Continuing with the main installation steps, I successfully changed the site title, effectively creating ( POC ), I promptly started writing my report to them.