Cracking Github leaderboard

As you might know GitHub is a Git repository web-based hosting service which offers all of the distributed revision control and source code management (SCM) functionality of Git as well as adding own features.

later this  year Github started bug bounty, earlier they used to send swags to bug reporters plus adding their name on Github security page.

Cracking bug bounty for main domain is really hard because of competition all around. And Like always, I will repeat your social friend’s newsfeed matters a lot in  bug bounty .

I remember one of my facebook friend’s post “ is acquired by github “.

I was like


Although CJ does not effect the much functionality of the Easel but as a bug hunter it is my responsibility to report things. It depends upon vendor they accept the bug or not.

Well, they had just acquired the Easel and they considered CJ , as a result I got listed on their “Original Gangster” list and with some awesome swags .



1653337_463483977085294_1358452723_nwell , CJ was still working for me :P.

Few days later I got bored . So thought to dig again (that was my private swag mine). This time tamper data worked for me. There were CSRF tokens all over the application but those tokens were not getting validated on server side. This time the bug was critical and can take over any account by changing email using typical CSRF attacks (sorry can’t find the POC for this in my mail). I reported CSRF without any POC , Github’s security  guys were smart enough to reproduce the CSRF. Guess what ! Another Github packet for me and this time I was on leaderboard (only Indian at that time 😛 ) with 500pts. Github created a special page for me (


Well that’s not the end, reported few more CSRFs(login) later this week. Easel was still my private swag mine till yesterday, they sent me this

testEasel is shutting down 😦 will be missed 😛 for sure.

All I can say  bug bounty is fun ,just  keep your eyes open .

logging off…


How I made $5100 in a week

17 sept is a special day for me . The day which made me officially highest earning family member 😛 . A year ago today Facebook paid me $5000 for two Clickjacking in their mobile site (

There is a quite interesting story behind this. I was into bug hunting from a long time but till 11 sept. I was struggling for my first bounty. You might I was not trying hard even I confess I never tried too hard in hunting till date.

But what I can say is your networks on your social accounts (Twitter,Facebook ) matters a lot. Even though they don’t share “how they do things” but they motivate you with the amount they get from bounties.

Here’s the timeline:

10 sept: Kamil sevi posted “got bounty from Asana”,Let’s give Asana a try. Aditya‘s addon came handy ,reported CJ to Asana security.

12 sept: Asana accepted the CJ and rewarded me $100


15 sept: One of my friend got $5000 from Facebook for some facebook group bug, I  was jealous and motivated .Started digging ,found two CJ . One with facebook message (new thread) , other with facebook notes.

17 sept: Both Clickjacking got valid and Bang ..


$5000 is more than enough for CJ. Well, there might be some luck or fate. Thanks  Adiya for sharing his tool.


logging off ..




XSS on Shopify

Shopify is an e-commerce platform that enables individuals and businesses to create online stores.

yes, they have bug bounty program.

While testing I realized ,all the title fields are not sanitizing the JS .





I was like

I am rich


Reported the issue to the Shopify security team , they said “SELF XSS” . We don’t consider this an issue.

OK then,



They had  public forum(with login functionality) , I created  discussion title with XSS payload . When the page is published ,it triggered the payload just once. I tried again again by refreshing the page ,nothing happened.

I was frustrated , wrote “Fuck” in the comment and it reload the page and Bang !.


I got a XSS and this is not self this time. What I have to do is just a get a comment from the user on the discussion page.

They accepted this one , and one more HOF for me 🙂




logging out……