Hey folks πŸ‘‹ I'm Ferdus, a security researcher and bug hunter. I used to hunt mostly on Bugcrowd under the handle bebe, and now I'm more active on HackerOne with the username hackbebe1.

This writeup is for beginners and non-technical hunters who think you need complex skills to earn good bounties. Trust me, you don't. I made over $10,000 just by focusing on one feature β€” the share function β€” and finding multiple IDOR vulnerabilities that exposed PII of over 7M users on a major SaaS project management platform (name redacted).

None

Why I Focused on One Target

Instead of jumping between dozens of programs, I picked one app and spent time understanding how it works β€” features, roles, permissions, how share and access logic works, etc.

Once I found one IDOR, I used a simple rule:

"If one feature is vulnerable, similar features might be too."

The First IDOR β€” The Breakthrough

  • In this app, users can share tasks with other members.
  • I shared a task normally, then intercepted the request in Burp Suite.
  • The JSON body looked like this:

{

"user_id": "173535"

}

  • I changed the user_id to a random ID that didn't belong to my workspace.
  • Boom β€” the response leaked PII data of that user (name, email, etc.).

I reported it and got $500 bounty in just a few days.

The Real Jackpot β€” Repeat the Same Logic Everywhere

After the first bounty, I got curious. The app had multiple share-like features:

βœ… Share Tasks βœ… Share Documents βœ… Share Lists βœ… Share Folders βœ… Share Goals βœ… Share Spaces

I repeated the same trick on all of them. Most were vulnerable.

Some endpoints didn't accept POST? ➑️ I tried PUT instead of POST β€” and it worked.

Some endpoints used "user"? ➑️ I tried "users" and "user_ids" too β€” and one of those parameters got accepted.

This simple parameter mutation + ID tampering combo earned me more than $10k across multiple reports β€” all on the same platform.

Key Takeaway for Beginners

You don't need advanced exploitation or RCE to earn bounties.

Just understand the app deeply and test similar areas again and again.

  • Found one IDOR? ➑️ Search for similar endpoints.
  • Saw "user_id"? ➑️ Try "users", "user", "assignee_id", etc.
  • POST blocked? ➑️ Try PUT, PATCH, DELETE.
  • Don't rely only on UI. ➑️ Replay raw requests with modified IDs.

Final Words

This hunting method is perfect for beginners with patience. Most people give up after one report. I did the opposite β€” I doubled down.

One feature. Many variations. Many payouts.

If you want, I can publish a checklist for hunting IDORs in SaaS web apps β€” just let me know and I'll drop it in the next writeup.

Thanks for reading,

Happy Hacking!