"بِسْمِ اللَّهِ، وَالْحَمْدُ لِلَّهِ، وَالصَّلَاةُ وَالسَّلَامُ عَلَى رَسُولِ اللَّهِ، اللَّهُمَّ عَلِّمْنَا مَا يَنْفَعُنَا، وَانْفَعْنَا بِمَا عَلَّمْتَنَا، وَزِدْنَا عِلْمًا"
Hey hackers , I'm Ahmed, and I hope everything is going well. This is my first write-up, so please forgive me if I make any mistakes.
In this write-up, i'll talk about how i discovered my first three bugs in a public program on Bugcrowd.
Let's assume the target is target.com. It's an online learning platform that mimics a classroom environment — allowing teachers to create virtual classes, add students, assign activities, and conduct tests or quizzes.
I quickly signed up and created two test accounts
Account[1] teacher
Account[2] student
After verifying both accounts, I started testing basic stuff like email change, password reset, and profile edits etc… .
But nothing interesting came up.
Bug #1 — IDOR on User Information
While exploring the platform, I noticed that I could change my avatar. So I thought: "What if I try to change another user's avatar?"
I opend Burp Suite, intercepted the request when changing the avatar,and saw this:
PUT /webapi/target/users/[user-id]I tryed to changing the user-id to another user's ID, but got this response
{
"error":{
"message":
"Sorry, you don't have permission to access this",
"code":403,
}
}Expected..
But then I changed the request method from PUT to GET, sent the request again — and BOOM!
I received full profile information about the other user (IDOR).
I quickly wrote the report and submitted it.(You know the feeling when you find your first bug — it's unreal)it's some thing like
Bug #2 — Privilege Escalation in Class Management
After finishing student testing, I logged into the teacher account and started creating a new class.
I invited the student account and tried escalating privileges directly from student to admin.
But no luck
So I used the teacher account to promote the student to admin.
Then, while browsing as the student, I noticed something strange: The student could remove the teacher from the class!
This meant any teacher could be kicked out of their own class — a clear privilege escalation issue. I wrote and submitted the second report.
Bug #3 — Accessing Private Activities Without Invite Link
Then i tested another functions but i didn't found enything.
At this point, I thought: "Well, this program looks secure. Maybe it's time to try another one."
But then another voice inside me said:
"You're just testing what every hacker already tested. If you always do that, you'll never find real bugs."
So I decided to go deeper. I started learning how the program works — watching and YouTube tutorials.
Eventually, I noticed that teachers could create activities and share them with students via a link and a code (like a password).
I created an activity and copied the link. Then I joined using the student account to the activity.
When i joined to activity i noticed the url was
https://target.com/4561245/learnSo i quickle changed the ID to
https://target.com/4561244/learnAnd guess what?
The activity loaded — without needing the link or the code! I could access, solve, and even share activities that I was never invited to.
That was my third bug. Another report, another small win.
Conclusion
And that's how I found my first 3 valid bugs on a public Bugcrowd program.
- Trust your instincts.
- Be curious.
- Go beyond what others test.
- Learn the functionality, not just the endpoints.
— — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — -
Thanks for reading! I hope this write-up helps someone out there who's just getting started.
— — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — -
You can follow me on Twitter (X) where I post about my daily bug bounty journey to find my first bounty:
Until next time — happy hacking!