How I got my SIDN Swag
Hello guys, how are you? I’m writing an article after a very long time.
I’m Vikas Anand, a security researcher and bug bounty hunter from Bihar, India.
This time I got swag from SIDN (sidn.nl).
SIDN provides swag for valid reports. I see many people getting this swag, so I also thought of hunting on SIDN, and finally I got my swag.
Bug: Google API key leakage in the source code of [events.sidn.in]
First, I started with subdomain enumeration using some famous tools like Amass, Subfinder, and Findomain.
After that, I filtered all the subdomains using httpx tools.
Then I got a subdomain [events.sidn.nl], which I found interesting, and I opened this website in a new tab with BurpSuite catching all the requests. After a few minutes, I checked BurpSuite again, and I found a low-hanging bug in the dashboard. The BurpSuite extension [JS Miner] discovered a Google API key in the website’s source code.
And I really don’t know how to use that particular API key, after a lot of researching, I finally thought, “Let’s just report and see what we get.”
After 4 days, I received this Awesome Mail.
So that’s all from this blog. I hope you like it. And please ignore my grammatical mistake, as I’m not good at writing blogs.
If you have any questions, you can connect with me.
https://twitter.com/kingcoolvikas
https://www.linkedin.com/in/kingcoolvikas/
Cheers✌️and thanks for Reading at the end of this Article.
Timeline of the bug :
Reported: 13 Nov, 2022
Triaged: 17 Nov, 2022
Received Swag: 20 Dec, 2022