search

Bug Bounty Report Writing

hashtag
Step 1: Craft a Descriptive Title

hashtag
Wrong Example

"IDOR on a Critical Endpoint"

hashtag
Correct Example

"IDOR on https://example.com/change_password Leads to Account Takeover for All Users"

hashtag
Step 2: Provide a Clear Summary

hashtag
Correct Example

The https://example.com/change_password endpoint takes two POST body parameters: user_id and new_password. A POST request to this endpoint would change the password of user user_id to new_password. This endpoint is not validating the user_id parameter, and as a result, any user can change anyone else's password by manipulating the user_id parameter.

hashtag
Step 3: Include a Severity Assessment

Evaluate severity based on CVSS:

  • Low severity: open redirect only for phishing

  • Medium severity: CSRF on password change

  • High severity: open redirect for OAuth

  • Critical severity: SQL injection leading to RCE

hashtag
Step 4: Give Clear Steps to Reproduce

hashtag
Wrong Example

  1. Log in to the site and visit https://example.com/change_password.

  2. Click the Change Password button.

  3. Intercept the request, and change the user_id parameter to another user's ID.

hashtag
Correct Example

  1. Make two accounts on example.com: account A and account B.

  2. Log in to example.com as account A, and visit https://example.com/change_password.

  3. Fill in the desired new password in the New Password field, located at the top left of the page.

  4. Click the Change Password button located at the top right of the page.

  5. Intercept the POST request to https://example.com/change_password** and change theuser_id` POST parameter to the user ID of account B.

  6. You can now log in to account B by using the new password you've chose.

hashtag
Step 5: Provide a Proof of Concept

Include a video, screenshots, or photos documenting your exploit. If there is a payload involved, include the payload as well.

hashtag
Step 6: Describe the Impact and Attack Scenarios

hashtag
Correct Example

Using this vulnerability, all that an attacker needs in order to change a user's password is their user_id. Since each user's public profile page lists the account's user_id, anyone can visit any user's profile, find out their user_id, and change their password. And because user_ids are simply sequential numbers, a hacker can even enumerate all the user_ids and change the passwords of all users! This bug will let attackers take over anyone's account with minimal effort.

hashtag
Step 7: Recommend Possible Mitigations

hashtag
Correct Example

The application should validate the user's user_id parameter within the change password request to ensure that the user is authorized to make account modifications. Unauthorized requests should be rejected and logged by the application.

hashtag
Step 8: Validate the Report

Double check that everything is correct.

hashtag
Tips

  • Don't assume anything

  • Be clear and concise

  • Write what you want to read

  • Be professional

hashtag
Reference

LogoBug Bounty Bootcampnostarchchevron-right
Bug Bounty Bootcamp - Vickie Li
PreviousServerNextFile Upload

Last updated