While hunting on the bug bounty platform REDACTED, I approached the target the way I always do like a hunter.

I first tried to understand the platform itself. I created an account and started hunting manually because I don’t like relying on automation. I prefer seeing things with my own eyes and logic.

After some time, I wasn’t finding any bugs. I got tired and decided to take a break.

Three (3) days later, after a lot of thinking and reading, I tried to log back in and noticed I was blocked. I also tried to create a new account and notice the same block.

That immediately caught my attention.

I then tried using my VPN, but I noticed an error message saying that account creation was not allowed while using a VPN. This increased both my frustration and my curiosity.

At that point, I needed to break in.

This wasn’t initially about the bounty, it was about my skills as an ethical hacker. I knew that if I could see this behavior, a black-hat attacker would also see it too and try to break in and likely succeed. So I started testing.

I read blogs but found nothing useful.
I tried using AI, but what I was getting back what wasn’t needed.

For about 2–3 weeks, I kept visiting the site. My Burp Suite project was always saved, and I kept hunting whenever I had time.

One day, I was extremely tired and fell asleep. While sleeping, I kept thinking about the problem. I honestly believe I saw the solution in a dream. I woke up around 3 AM, went straight to my desk, opened my laptop, and started testing immediately.

I logged in, captured the request, and instead of using a random IP, I modified the request headers. I used a private IP and a Google IP together:

X-Forwarded-For: 10.0.0.1, 8.8.8.8

Then I sent the request and waited for the response.

To my shock, I was in.

I had successfully bypassed the geo-location restriction.

To confirm, I turned on my VPN again to see if the IP would change or block me. And once again, to my shock, I was still able to bypass the geo-location check using that extra header.

Why did this happen?
It happened because the application trusted something it should never have trusted. The backend was not validating the real source IP from the network layer. Instead, it relied on a user-controlled HTTP header called X-Forwarded-For to decide where the request was coming from.

This header is meant to be added by trusted proxies or load balancers to tell the server the original client IP. But in this case, the application accepted whatever value the client sent without verifying if the request actually passed through a trusted proxy.

By inserting a private IP (10.0.0.1) followed by a trusted public IP (8.8.8.8), I exploited flawed logic in the IP-parsing mechanism. The system either ignored the private IP or assumed it belonged to internal infrastructure, then fell back to the next IP in the list which appeared clean, trusted, and allowed.

As a result, the geo-location engine believed the request was coming from a safe region, even while I was connected through a VPN.

This meant the restriction wasn’t enforcing location based on the real network source, but on what the user claimed their IP was.

This was reported as a critical bypass.

But then came the disappointment.

The report stayed in back-and-forth discussion for over a month, and without a clear reason, the CVSS score was downgraded. When it was finally time for payment, I was told that their wallet on the bug bounty platform had not been loaded yet.

That was extremely frustrating.

Still, I was glad I proved my point that a very simple logic flaw could completely disrupt their geo-restriction system.

I won’t expose the target or the bug bounty platform, but this experience highlights a bigger issue. Security researchers must be rewarded and appreciated accordingly, not delayed, downgraded, or ignored.

Bug bounty hunting can be very frustrating. Sometimes it feels like black hats are thriving more than white hats. But in the end, it’s our call and our discipline to keep protecting systems with good intentions. As ethical hackers, we keep going even through frustration until that one big win.

Thank you for reading. Feel free to reach out, connect, or share your thoughts. I’m always open to learning from others, exchanging ideas, and growing alongside people who care about security just as much as we do.

Feel Free to connect with me on LinkedIn or X :

https://www.linkedin.com/in/umanhonlengabriel

https://x.com/sudosu01

Thank you!