Quick Win Vulnerabilities
Common bugs that beginners can find and get paid for
What You'll Discover
🎯 Why This Matters
Some vulnerabilities are everywhere if you know where to look. These "quick wins" are accessible to new hunters, pay real bounties, and build your reputation. Focus here first before moving to complex attack chains - you'll learn the applications while earning money.
🔍 What You'll Learn
- IDOR/BOLA - accessing other users' data (and why it happens)
- Open redirects - where they matter and how to demonstrate impact
- Information disclosure - what actually pays bounties
- Subdomain takeover - claiming abandoned resources
- How to chain low-severity bugs into higher impact
🚀 Your First Win
By the end of this chapter, you'll know the vulnerabilities most likely to land you your first bounty - and understand WHY they exist so you can find them consistently.
🔧 Try This Right Now
Test for IDOR on any application (you'll need two test accounts):
# IDOR TEST METHODOLOGY
# Step 1: Create two test accounts on the target
# User A = your main testing account
# User B = your "victim" account (use a different browser/incognito)
# Step 2: As User A, find requests that reference your user
# Look in Burp History for URLs/parameters containing IDs:
GET /api/users/12345/profile # User ID in URL
GET /api/orders?user_id=12345 # User ID in parameter
GET /api/invoices/98765 # Resource ID (invoice belongs to you)
# Step 3: Note User B's ID (check their profile URL while logged in as B)
# Let's say User B's ID is 12346
# Step 4: While logged in as User A, change the ID to User B's
# Original (your data):
GET /api/users/12345/profile
# Modified (attempting to access User B's data):
GET /api/users/12346/profile
# Step 5: Analyze the response
# If you see User B's data → IDOR vulnerability!
# Common response patterns:
# ✓ 200 OK with different user's data = IDOR confirmed
# ✗ 403 Forbidden = Authorization working correctly
# ✗ 404 Not Found = Resource doesn't exist (try valid IDs)
# ? 200 OK with empty/own data = Might be silently failing, test moreSuccess indicator: If you can see User B's data while logged in as User A, you've found an IDOR vulnerability. The severity depends on what data is exposed.
Skills You'll Master
Authorization Testing
Identify when apps fail to verify resource ownership
Impact Assessment
Determine severity based on exposed data and actions
Redirect Exploitation
Demonstrate real-world impact of redirect vulnerabilities
Bug Chaining
Combine low-severity findings into higher impact
IDOR (Insecure Direct Object Reference)
"Your first bounty doesn't need to be a P1. Start with what's findable."
What Is IDOR and Why Does It Exist?
IDOR (Insecure Direct Object Reference) — also called BOLA (Broken Object Level Authorization) in API security — occurs when an application exposes references to internal objects (like database IDs) and fails to verify that the user has permission to access them.
Why it happens: Developers build features like "view my profile" or "download my invoice." The code checks "is the user logged in?" but forgets to check "does this user OWN this resource?" It's an easy mistake:
# VULNERABLE CODE (simplified example)
def get_invoice(request, invoice_id):
# Check: Is user logged in? ✓
if not request.user.is_authenticated:
return "Please log in"
# Missing check: Does this user own this invoice? ✗
invoice = Invoice.objects.get(id=invoice_id)
return invoice.data # Returns ANY invoice to ANY logged-in user
# SECURE CODE (what it should look like)
def get_invoice(request, invoice_id):
if not request.user.is_authenticated:
return "Please log in"
# Check: Does this invoice belong to this user? ✓
invoice = Invoice.objects.get(id=invoice_id, owner=request.user)
return invoice.data # Only returns user's own invoicesWhy it's so common: Authorization logic has to be implemented for every endpoint. Miss one, and you have an IDOR. In large applications with hundreds of endpoints, developers inevitably miss some. IDOR is consistently in the OWASP Top 10 because it's easy to create and easy to find.
Where to Look for IDOR
# HIGH-VALUE IDOR TARGETS (sensitive data = higher severity)
User Data:
/api/users/{id}/profile # PII: names, emails, addresses
/api/users/{id}/settings # Email, password reset, 2FA settings
/api/users/{id}/notifications # Private communications
Financial Data:
/api/invoices/{id} # Payment details, purchase history
/api/transactions/{id} # Banking information
/api/orders/{id} # Order details, shipping addresses
Documents:
/api/documents/{id} # Could be anything - contracts, medical records
/api/attachments/{id} # File uploads
/download?file_id={id} # Document downloads
Communication:
/api/messages/{id} # Private messages
/api/conversations/{id} # Chat histories
/api/support-tickets/{id} # Support interactions
# ID FORMATS TO TEST
Sequential integers: 1234, 1235, 1236 (easiest to guess)
UUIDs: 550e8400-e29b-41d4-a716-446655440000 (harder but still vulnerable if leaked)
Encoded IDs: Base64 encoded integers (decode, increment, re-encode)
Hash-based IDs: Sometimes predictable (MD5 of email, etc.)IDOR Severity Matrix
Critical (P1)
Write/Delete on any user's account. Modify other users' passwords, delete their data, change their permissions.
High (P2)
Read sensitive PII. Access financial data, medical records, private communications, SSNs.
Medium (P3)
Read non-sensitive data. Access public profiles, usernames, non-private settings.
Low (P4)
Minimal impact. Access to already-public information or non-sensitive metadata.
Open Redirect
What Is It and Why Does It Matter?
Open Redirect — An application accepts a user-controlled URL and redirects to it without validation. By itself, this seems harmless, but it enables real attacks:
- Phishing: Send victims to
trusted-bank.com/login?redirect=evil-site.com. They see the trusted domain, click, and land on a fake login page that steals credentials. - OAuth Token Theft: If the redirect happens during OAuth login, attackers can steal authentication tokens by redirecting to their server.
- Bypassing Security Controls: Some security tools whitelist the trusted domain but don't validate redirect parameters.
Why programs accept it: Not all programs pay for open redirects. Many require demonstrated impact (chained with OAuth theft, used in actual phishing scenario). Always check the program's policy - some explicitly exclude "unvalidated redirects" without chaining.
Finding and Testing Open Redirects
# COMMON PARAMETERS TO CHECK
?url=
?redirect=
?next=
?return=
?returnTo=
?returnUrl=
?goto=
?destination=
?continue=
?forward=
?target=
?rurl=
?redirect_uri= # OAuth - high value!
# TESTING METHODOLOGY
# 1. Find a redirect parameter
https://<target>/login?next=/dashboard
# 2. Try external domain
https://<target>/login?next=https://attacker.com
# If it redirects to attacker.com → open redirect!
# 3. If blocked, try bypass techniques
//attacker.com # Protocol-relative URL
/\attacker.com # Backslash confusion
https://attacker.com#.target.com # Fragment confusion
https://target.com.attacker.com # Subdomain of attacker
https://attacker.com?.target.com # Query string confusion
https://target.com@attacker.com # Credential confusion
/redirect?url=//attacker.com # Double encoding
%2F%2Fattacker.com # URL encoded
https:attacker.com # Missing slashes
///attacker.com # Triple slashes
# 4. For OAuth redirects (high value)
# Check the redirect_uri parameter in OAuth flow
# If you can control where tokens are sent → account takeover potentialImpact demonstration tip: Many programs reject open redirects without proof of impact. In your report, explain the specific attack: "An attacker could use this redirect to steal OAuth tokens during the login flow, leading to account takeover." Or demonstrate a phishing scenario with screenshots.
Information Disclosure
What Pays vs What Doesn't
Not all information disclosure is created equal. Programs care about information that can be used for further attacks or directly harms users:
Pays Well (High Impact):
- API keys with write access — AWS keys, Stripe keys, cloud credentials
- Database credentials — Even if you can't connect, exposure is critical
- User PII — Leaked user emails, addresses, phone numbers
- Source code — Especially if it contains hardcoded secrets
- Internal authentication tokens — JWT secrets, session signing keys
May Pay (Medium Impact):
- Internal IP addresses — Useful for further attacks
- Debug endpoints — If they expose sensitive data
- Stack traces with sensitive paths — Reveal internal structure
Usually Doesn't Pay (Low/No Impact):
- Software version numbers alone (without known vulnerabilities)
- Generic error messages
- Email addresses that are already public
- "You're using nginx" without any security impact
Where to Find Information Disclosure
# COMMON SENSITIVE PATHS TO CHECK
# Configuration files
/.env # Environment variables (often contains API keys!)
/config.json
/config.yml
/settings.py # Django settings
/wp-config.php # WordPress (often blocked but try)
# Version control exposure
/.git/config # If accessible, whole repo may be downloadable
/.git/HEAD
/.svn/entries
# Debug and admin endpoints
/debug
/trace
/actuator # Spring Boot - goldmine of info
/actuator/env
/actuator/heapdump
/_debug_toolbar/
/phpinfo.php
/server-status # Apache status page
/nginx_status
# API documentation (may require auth but often public)
/api/swagger.json
/api/swagger-ui.html
/swagger/
/api-docs
/graphql # GraphQL introspection
# Backup and temporary files
/backup.sql
/database.sql
/*.bak
/*.old
/*.tmp
/backup/
# SEARCHING JAVASCRIPT FILES FOR SECRETS
# Download all JS files and search for sensitive strings:
# In browser dev tools → Sources → Search (Ctrl+Shift+F)
Search for:
api_key
apikey
secret
password
token
private_key
AWS
sk_live # Stripe live key
sk_test # Stripe test key
AKIA # AWS access key prefix
ghp_ # GitHub personal access token
bearer
# Pro tip: Use tools like truffleHog or gitleaks on downloaded JS bundlesSubdomain Takeover
How Subdomain Takeover Works
Subdomain takeover happens when:
- A company sets up blog.company.com pointing to Heroku, GitHub Pages, or similar
- They stop using the service and delete the app, but forget to remove the DNS record
- The subdomain still points to the service, but no one has claimed that resource
- An attacker creates an account on the service and claims that resource name
- Now the attacker controls content on blog.company.com!
Impact: Attackers can serve phishing pages, steal cookies (if subdomain is trusted by parent domain), host malware, and damage reputation - all appearing to come from the legitimate company.
Detection and Verification
# INDICATORS OF VULNERABLE SUBDOMAINS
# GitHub Pages
"There isn't a GitHub Pages site here."
# Heroku
"No such app"
"Heroku | No such app"
# AWS S3
"NoSuchBucket"
"The specified bucket does not exist"
# Azure
"404 Web Site not found"
# Shopify
"Sorry, this shop is currently unavailable."
# Tumblr
"There's nothing here."
"Whatever you were looking for doesn't currently exist at this address."
# Zendesk
"Help Center Closed"
# AUTOMATED DETECTION
# Using Nuclei (most efficient)
nuclei -t takeovers/ -l subdomains.txt
# This runs all subdomain takeover templates against your list
# Using subjack
subjack -w subdomains.txt -t 100 -timeout 30
# IMPORTANT: DO NOT actually take over subdomains!
# Just report the vulnerability with evidence that it's vulnerable
# Taking control of a subdomain you don't own is unauthorized access
# Evidence to include in report:
# 1. Screenshot of error message
# 2. DNS records showing the configuration
# 3. Explanation of which service is affected
# 4. Proof that the resource is unregistered (if possible to check)Real Bounty Examples
🏆 $500 for IDOR on Invoice Endpoint
The hunter noticed URLs like /api/invoices/12345 when downloading their own invoice. They changed the ID to 12346 and received a different customer's invoice - complete with name, address, and purchase history.
Technique: Changed one number in the URL. Required two test accounts and 5 minutes of testing. The vulnerability was trivial to find but had real impact on customer privacy.
🏆 $300 for Exposed Stripe API Key
Searching through JavaScript bundles, the hunter found a Stripe API key starting with sk_live_. The key had write permissions - an attacker could have created fraudulent charges or accessed customer payment data.
Technique: Browser dev tools → Sources → Search for "sk_live". The key was hardcoded in a webpack bundle. Took 10 minutes to find.
🏆 $1,000 for Open Redirect in OAuth Flow
The OAuth login had a redirect_uri parameter that accepted any URL. The hunter demonstrated that an attacker could craft a link that, after successful login, would redirect the user (and their authentication token) to an attacker-controlled server.
Technique: Identified OAuth flow, tested redirect_uri parameter with external domain. The chain from open redirect → token theft → account takeover elevated this from P4 to P2.
Frequently Asked Questions
These seem too straightforward. Do they really pay?
Yes. IDOR is consistently the #1 API vulnerability because it's everywhere. Developers have to implement authorization checks for every endpoint - miss one and you have an IDOR. Straightforward bugs with real impact pay real money. Don't overcomplicate your approach - start by looking for obvious issues. As you gain experience, you'll develop an eye for more subtle variations.
What if I can only find low-severity bugs?
Low severity bugs still pay, still build your reputation, and teach you how the application works. Many hunters chain multiple low-severity bugs to create higher impact. An open redirect alone might be P4, but chain it with OAuth token theft and it becomes P2. Finding P4s is how you learn to find P1s.
How do I know if an IDOR is in scope?
Use two accounts you control - never access data belonging to real users. Your test should be: "Can Account A access Account B's data?" where both accounts are yours. If you find an IDOR, report it immediately. Don't enumerate other users' data or download anything beyond what's needed to prove the bug exists.
My open redirect report was closed as "informational." Why?
Many programs don't pay for open redirects without demonstrated impact. In your report, explain the attack scenario: phishing, OAuth token theft, or bypassing security controls. If it's used in an OAuth flow, emphasize the token theft potential. Some programs still won't accept it - check their policy before investing time.
🎯 You Know the Quick Wins!
IDOR, open redirects, information disclosure, subdomain takeover - you now understand not only how to find these vulnerabilities but WHY they exist. This deeper understanding will help you find them consistently.
Ready to write winning reports →