一位黑客在浏览Facebook广告时发现了一个隐藏的Open Redirect漏洞,并利用它发现了反射型XSS(rXSS)漏洞,在HackerOne上获得了1000美元奖励。整个过程仅耗时8分钟。该漏洞存在于流媒体平台Showmax的安全项目中,该项目已6个月未有报告。 2025-8-1 04:7:13 Author: infosecwriteups.com(查看原文) 阅读量:15 收藏
Most hackers ignore Open Redirects — but this one turned into a $1,000 payday. Here’s how.
Zoom image will be displayed
It was just another lazy afternoon. Facebook ads were flooding my feed, and normally, I’d scroll past them without a second thought.
But this time, something felt off. A tiny detail in the URL caught my eye — a hidden Open Redirect vulnerability that most people would’ve missed.
What started as a low-risk bug quickly escalated into a reflected XSS (rXSS) payday on HackerOne. And the best part? The entire discovery took less than 8 minutes.
If you’ve ever thought Open Redirects were worthless, this story might change your mind.
From Bored Scrolling to a Critical Bug
The ad led to Showmax, a streaming platform I’d never tested before. A quick search on HackerOne showed that their program had no resolved reports in the last 6 months. That’s usually a red flag — or a golden opportunity. Most hackers avoid inactive programs, assuming they’re not worth the effort. But sometimes, neglected targets hide the easiest wins.
I wasn’t even hunting for bugs that day. But when a simple ?redirect= parameter in the URL responded with a 302 Found status, my instincts kicked in.
如有侵权请联系:admin#unsafe.sh