I Made $11K on a TikTok Bug Bounty

Here's My Method

Codi

~5 min read · December 21, 2025 (Updated: December 21, 2025) · Free: Yes

It was a completely normal Tuesday night. A notification popped up on my screen — friends were getting online to play games—the usual invitation.

But for some reason, a different choice was made. Instead of joining them, a browser was opened. A decision was made to spend an hour on ethical hacking, practicing skills on a public bug bounty program. Just one hour.

That single hour turned into a journey that ended with a $11,000 reward.

This isn't a story about being a genius hacker. It's a story about a method, patience, and what happens when curiosity is followed systematically.

First Step: The Reconnaissance Process

The first rule of bug bounty is simple: you can't find what you don't look for. The hunt always starts with recon (reconnaissance).

For TikTok, this meant understanding its digital footprint. A powerful tool called urlscan.io was used. A search was run for*.tiktok.com, and a massive list of results—over 10,000 URLs and endpoints—was received.

The goal wasn't to look at everything. The goal was to filter the noise.

The list was scanned for patterns. Subdomains like ads.tiktok.com or business.tiktok.com were ignored initially. Attention was focused on paths that hinted at user functionality: share, campaign, api, event.

One endpoint, in particular, stood out: https://api.tiktok.com/share/v1/campaign/link?region=US&id=12345

It looked like a campaign or sharing feature. The region parameter was especially interesting. Parameters that control output are often where vulnerability lives.

Simple Parameter

The endpoint was loaded directly in a browser. A simple test was performed to see if user input was reflected back on the page.

A basic payload was added to the region parameter: ?region=US'"><test>

The page was refreshed.

There it was. The characters '"><test> were displayed right there in the response, unsanitized. This was a reflected Cross-Site Scripting (XSS) vulnerability in its simplest, rawest form.

A direct door had been found, but a very strong lock was immediately discovered.

The First Test and the Immediate Hurdle

Excitement was brief. The next logical test in XSS research is to see if a script can be executed. A classic test payload was tried:

"><img src=x onerror=alert(document.domain)>

The page loaded, but nothing happened. The browser's developer console was checked. A red error message was visible:

Blocked by WAF. Request ID: akamai-...

A WAF (Web Application Firewall) was in place, specifically Akamai. This sophisticated filter was analyzing every request and blocking known malicious patterns. The simple XSS was confirmed, but it was completely neutered by the WAF.

The challenge was no longer finding a bug. It was finding a key that fit the lock.

My WAF Bypass Journey

This is where bug bounty transitions from finding to problem-solving. The WAF was looking for specific, harmful strings. The goal was to craft a payload that did the same thing but looked completely different.

An iterative, experimental process was begun. Common WAF bypass techniques for Akamai were researched.

Technique 1: Case Manipulation </ScRiPt> was tried. Blocked. </SCRIPT> was tried. Blocked.
Technique 2: Tag Tampering </ScRpt> was tried. Not blocked! But... It's not a valid HTML tag, so the browser ignored it. A dead end.
Technique 3: Obfuscation & Junk Data This was where progress was made. The idea was to confuse the WAF by breaking up the malicious string with meaningless data that it would ignore. After many, many attempts, a pattern was crafted that slipped through:

}<x>xxx<!>+>+>

This bizarre-looking string was the bypass. It contained the valid </script> tag, but it was split up and surrounded by "junk" characters (x>xxx<!--><!>+>+>) that the WAF's pattern-matching didn't recognize as a threat.

The lock had been picked.

From POC to Report

Finding a bypass is one thing. Proving its impact is everything. A safe, proof-of-concept (PoC) had to be built.

For ethical hacking and reporting, a harmless demonstration is key. Instead of a maliciousalert(), a payload was created that would redirect to a domain I controlled, proving I could steer user traffic. The full payload looked like this:

}<x>xxx<!>+>+>

When this was loaded in the browser with the vulnerable region parameter, the page instantly redirected. Proof complete.

The report included:

The vulnerable URL.
A step-by-step explanation of the vulnerability.
The technical details of the WAF bypass.
The full PoC payload.
A video screen recording showing the redirect in action.

Clarity is your currency in a bug bounty report. The report was submitted, and the waiting began.

The Reward and Repeating Success

Within 48 hours, a message arrived in the HackerOne inbox. It was from TikTok's security triage team.

"Thank you for your report. We have reproduced the issue and are moving it to triage."

A few days later, the status changed to "Triaged" and then to "Resolved." The bounty was awarded: $5,000 for the critical XSS with a WAF bypass.

But the story didn't end there.

The same method was reapplied. The recon list was revisited. Other endpoints with similar id or campaign parameters were searched for. The same vulnerability pattern was found in two other locations.

Two new reports were filed. The process was identical. Both were validated.

Bug 2 Reward: $3,000
Bug 3 Reward: $3,000

The Final Tally: $5,000 + $3,000 + $3,000 = $11,000

All from one evening of choosing practice over play, and then following a process.

Key Lessons for Your First Bounty

If one thing is taken from this story, let it be this: bug bounty is a structured discipline, not magic. Here is the method, distilled:

Recon is King. 90% of the work is sifting through data (urlscan.io, subdomain enumerators) to find that one interesting endpoint. Be patient and systematic.
Test the Obvious First. Simple parameters (?region=, ?id=, ?return_to=) are the most common sources of vulnerability. Don't overcomplicate the initial search.
WAFs are Puzzles, Not Walls. A blocked request is the start of the real work. Research the specific WAF (Akamai, Cloudflare) and experiment with obfuscation, encoding, and junk data to craft your bypass.
Your Report is a Sales Pitch. Be professional, clear, and visual. Assume the reviewer is smart but busy. Make your PoC undeniable and easy to replay.
Persistence Pays in Multiples. When one bug is found, ask: "Where else could this pattern exist?" Code is often reused, so vulnerabilities are too.

This ethical hacking path is open to anyone with curiosity and a willingness to learn. The tools are free. The programs are public. The next $11,000 reward might just be one hour of focused recon away.

Happy hunting.

#bug-bounty #cybersecurity #ethical-hacking #ti̇ktok #hackerone