My first bounty on Synack Red Team
Hey there, folks! I’m here with a captivating article revealing how I scored my very first bounty on Synack Red Team. Just like many of you, I spent countless hours reading inspiring stories and write-ups about others’ bounties while self-learning cybersecurity. Now, it’s my turn to share my own journey and inspire you along the way.
The bug
Before we get into the amount I earned from the report, let’s start by talking about an interesting bug I found. It turned out to be a stored XSS vulnerability!
While exploring the web page, which functioned as a user-friendly dashboard for managing cloud-controlled network elements (like Cisco’s Meraki), I stumbled upon a cool feature. It allowed users to easily onboard devices by uploading a .csv or .xlsx file containing the device’s serial number and ID. Pretty handy, right?
Having come across numerous reports about this vulnerability, I couldn’t resist giving it a shot myself. The idea was simple yet intriguing: injecting an XSS payload into an Excel file and then uploading it for device onboarding…
