Chakravarthi

I made close to $10,000 from bug bounties this month. I'm 19. Still in engineering school. Here's what I didn't show you. I found a Critical RCE — Remote Code Execution via path traversal on a company's server. The kind of bug that pays $5,000-$20,000. Duplicate. Someone found it 12 days before me. $0. Same work. Same skill. Same report. Wrong timing. That's one of dozens. For every bounty I post, there are 15+ reports that got: → Duplicated → Marked informative → Ignored for months → Closed as "not applicable" → Lowballed after months of follow-ups But you know what I do when that happens? I wake up. No emotion. No hate. I open Burp Suite. Next target. Next report. Because if I don't, someone else will. Every day I take off is a day someone else dupes me on the next find. So I show up. Even when I don't feel like it. Even when it hurts. Bug bounty is not "find bug, get paid." It's find 50 bugs, fight for 6, get duped on some of your best work, get ghosted on others, and still show up the next morning. The $10K months are real. But behind every mountain is a hundred steps nobody sees. If you're starting out and getting duped and rejected — that IS the path. You're not doing it wrong. You're doing it. Keep going.

Interested in the security of AI Agents 💁🛡️? Then you've likely heard of "prompt injection", but do you know what "task injection" is? If you're curious, check out our latest post for a description and some real-world examples we discovered. https://t.co/pWdDGX6M0W https://t.co/P8ndgCXtH1

Check out my work history... I started with a lawn mower and working at an ice cream shop. High School Jobs: -Mowing Lawns ($10-$20/yard) -Printing Vinyl at a Sign Shop ($5/hr) -Ice cream Shop ($6/hr) -Video Rental Store ($6.50/hr) -Retail Electronics Sales ($8.25/hr) Jobs while in College: -Retail PC Repair Shop ($10.25/hr) -Private PC Repair Shop(s) ($14/hr) -Video store manager ($15/hr) -County Mapping Department (unpaid intern) -Research Institute (unpaid intern) -Surveying Company (unpaid intern) Post-graduate Jobs: -GIS Analyst ($17/hr) -Web Developer ($21/hr) -Nuclear Power Plant Operator ($33/hr) -Satellite Imagery Analyst ($35/hr) -GIS Administrator ($43/hr) -Penetration Testing Roles ($50 to $150/hr) -Part-time Hacker ($500 to $1000+/hr) I do have a B.S. and M.S. in geographic information systems, but they had zero impact in the thing I ultimately ended up being good at and that paid the best. Back then, you had to have a college degree. I don't think they matter now. Not much. Hacking is a trade skill. When I think about targets now, If I'm going to hack in a given week, I start by saying... OK... what does this target pay for a critical, and is that high enough? Does it seem like a good program, with a good reputation, and is there enough scope open to where the bounty program doesn't seem like a gimmick for marketing purposes only? Then I say, this is how much time I have to hack this week, do I think I can find at least one critical bug in that time period? (maybe that's 10 hours) If I'm leaning towards yes, I dive in. If I get bad vibes after one report, I dive back out. Peace, moving on. If we look at T-Mobile, paying $35K or $55K for some bugs, the last two $35K bugs I managed to get rewarded for (the last time I hacked which was October) represented about an hour of testing each. I think the reports took longer to write than the bugs did to find. But that was because I already knew the target and I had spent a lot of time on it. It was just a matter of coming back at an already known target with a completely different mindset. I talk about this in the up-coming course. (not the exact bugs of course but this idea of committing to a program/target and how to think)

Let's talk manual testing for IDORs. I have pasted a payload from a redacted T-Mobile API below. It does not have a bug (that I am aware of) on it, I want to use this for educational purposes because its a great teaching opportunity. A: This is a URI path parameter representing an organization ID. You need to tinker with this. B: The request does not ask for URI parameters, but what if you give it some anyway and something changes? C: Changing things like usernames or ID values in cookies can result in behavioral changes. D: Play with the Authorization Bearer token. Does it check signature? Can you change data in it and it still works? If so... very bad. Is it even using the token, or does it use a cookie instead? E: Its saying this is "upgrade-app". What does that mean? What are other values? What does changing it do? F: This is the organization ID. Its the same as in the URI path. If you change both at the same time, does it work? If you change one but not the other, does it work? Are they checked against each other? G: What does this header mean? It has a JWT format in it? Tinker. H: The API type is declared. Can it be changed? If so, can we alter the backend destination? Hrmm. I: Why is my email address in a header? Can I change it to someone else's? Does it check it? J: IDP type, interesting. What are the other values it accepts? K: You get the idea by now, the app name needs to be tinkered with. What does it do? L: Oh look, my user ID. I wonder if its validated against the organization in the URI or header, or payload body? M: My user ID again. What happens if I change M but not L, or L but not M, or change both, or leave both, or one blank, or null? N: Account number. Is this validated against org, user, neither, both? O: OrgID again, also in F and A. 3 places. Are all 3 checked? Is only 1 checked? Are any checked? Why is life so hard? If you take nothing else away from this, understand the complexity in possible combinations/permutations of potential testing for a SINGLE POST on a SINGLE API end point. This is the way. Oh, yea, and you have to check every single one for SQLi, SSRF, and code execution. Duh. 🤣 #hacking #bugbounty #infosec