Bug Bounty Report Writing
Step 1: Craft a Descriptive Title
Wrong Example
"IDOR on a Critical Endpoint"
Correct Example
"IDOR on https://example.com/change_password Leads to Account Takeover for All Users"
Step 2: Provide a Clear Summary
Correct Example
The https://example.com/change_password endpoint takes two POST body parameters: user_id and new_password. A POST request to this endpoint would change the password of user user_id to new_password. This endpoint is not validating the user_id parameter, and as a result, any user can change anyone else's password by manipulating the user_id parameter.
Step 3: Include a Severity Assessment
Evaluate severity based on CVSS:
Low severity: open redirect only for phishing
Medium severity: CSRF on password change
High severity: open redirect for OAuth
Critical severity: SQL injection leading to RCE
Step 4: Give Clear Steps to Reproduce
Wrong Example
Log in to the site and visit
https://example.com/change_password.Click the Change Password button.
Intercept the request, and change the
user_idparameter to another user's ID.
Correct Example
Make two accounts on
example.com: account A and account B.Log in to
example.comas account A, and visithttps://example.com/change_password.Fill in the desired new password in the New Password field, located at the top left of the page.
Click the Change Password button located at the top right of the page.
Intercept the POST request to
https://example.com/change_password** and change theuser_id` POST parameter to the user ID of account B.You can now log in to account B by using the new password you've chose.
Step 5: Provide a Proof of Concept
Include a video, screenshots, or photos documenting your exploit. If there is a payload involved, include the payload as well.
Step 6: Describe the Impact and Attack Scenarios
Correct Example
Using this vulnerability, all that an attacker needs in order to change a user's password is their user_id. Since each user's public profile page lists the account's user_id, anyone can visit any user's profile, find out their user_id, and change their password. And because user_ids are simply sequential numbers, a hacker can even enumerate all the user_ids and change the passwords of all users! This bug will let attackers take over anyone's account with minimal effort.
Step 7: Recommend Possible Mitigations
Correct Example
The application should validate the user's user_id parameter within the change password request to ensure that the user is authorized to make account modifications. Unauthorized requests should be rejected and logged by the application.
Step 8: Validate the Report
Double check that everything is correct.
Tips
Don't assume anything
Be clear and concise
Write what you want to read
Be professional
Reference
Last updated