Hyperlink Injection Earned Me $200 within 10 minutes

Amjad Ali
3 min readMay 11, 2023

--

Hey everyone 👋,

My name is Amjad Ali, and I’m a cybersecurity enthusiast. Recently, I found a hyperlink injection vulnerability within 10 minutes of testing and reported it to the Bugcrowd program. Within 6 hours, I received a $200 bounty, 5 points, Hall Of Fame and a P4 rating for my finding.

Since the program only allowed testing on the main domain, so i skipped the reconnaissance process and created an account directly. I tried to upload an SVG file on my profile picture for XSS, but I was unsuccessful and did not try to bypass the file upload.

However, I noticed a Discussions feature on the website where users could write their thoughts about products and discuss them. I noticed that the website did not display hyperlinks when a link was entered in the discussion section. Any link input, such as www.evil.com, would appear as plain text. Then I put a simple HTML payload like <h1>hi</h1>, which also appeared as plain text.

However, when I tried the markdown payload [Click on me to claim 100$ vouchers](https://evil.com), the hyperlink became active.

Initially, I thought that my finding might not be valid and considered it as P5 informational. Therefore, I decided to leave without reporting the issue. After a few hours, I was casually talking to one of my friends, and he asked me if I was doing bug hunting or not. I told him that I had hunted on a Bugcrowd program that day but didn’t find any valid issues. However, I did find a hyperlink injection and shared all the details with him. He advised me to report the issue. After discussing it with my friend, I was encouraged to report the vulnerability, which I did under VRT:- Unvalidated Redirects and Forwards > Open Redirect.

Within five hours, I received an email that my finding was triggered as P4, and I was rewarded with $200 and 5 points.

“I learned that one should never ignore reporting issues and should not get demotivated, rather keep hunting and have patience.”

Thank you for taking the time to read about my experience with Bugcrowd program. I hope my story has inspired you to keep hunting and reporting vulnerabilities, no matter how small they may seem. Remember, every finding counts, and it’s essential to have patience and persistence in this field.

Please feel free to share your thoughts or ask any questions in the comments section. Thank you again, and happy bug hunting!

--

--

Amjad Ali
Amjad Ali

Written by Amjad Ali

Cyber Security Enthusiast 💻 | 18y/o Ethical Hacker ☠️ | CTF Player 🎯 | Bug Hunter 🪲 | Web Developer 🌐

Responses (10)