Summary
- An information security researcher details their experience of turning a403 Forbidden error into a successful bug bounty.
- The researcher was scanning a test domain when they came across a403 Forbidden error.
- Rather than giving up, they used a set of well-known techniques to attempt to bypass the error, but without success.
- They then used a fuzzing tool which highlighted a hidden directory and an accessible password reset page.
- Exploring this page, the researcher found a hidden parameter in the background code, which led to a critical reflected XSS vulnerability.
- The lesson is that competitors should always look for ways to bypass or negotiate error messages when probing websites or applications.
- This positive attitude and perseverance led the researcher to successfully exploit a critical vulnerability.
By Iski
Original Article