My First Bounty And SSRF

Muhammad Julfikar Hyder
3 min readAug 8, 2020


Hello peoples, I’m Muhammad Julfikar Hyder from Bangladesh, back again with my first bounty story today. You can also read my previous blog on how I hacked LINE’s bucket here.

It was 9/24/2019. I was a newbie at bug bounty hunting, and I’m still a newbie there! Whatever, let’s enter the story.

Today I’ll talk about the SSRF vulnerability. Let’s know what SSRF is. Server-side request forgery (also known as SSRF) is a web security vulnerability that allows an attacker to induce the server-side application to make HTTP requests to an arbitrary domain of the attacker’s choosing.

Okay, when I first started hacking, I liked to test random websites to improve my skills because I wasn’t yet proficient enough to test on a platformed website. For my testing, I used a well-known Bangladeshi eCommerce website. I just started and got a request like this.

The request is calling another cross-domain data source with the ‘src’ parameter! Hmm..!!! I just changed the URL and don’t understand what happened! Then, on my previously random-shelled domain, I created an.php file with the JavaScript contents “<script>alert(document.domain)</script>.” I replaced the URL with the JavaScript URL, and the request was like this:

I became very strange! It was working! The response was like this!

The request was to load files from third party domains!

Then I began to wonder, “What can I do more of?” Because I had no IP logger, I could check the SSRF clearly! I fired up My Little Buddy Command Prompt and took the IP of my target domain with the command ‘ping

I again changed the request to this:

I changed the URL with Iplocation and got the domain’s IP in the response!

SSRF has been confirmed yet again!

The site had no bug bounty program, but I reported them politely, and they awarded me a 5-digit bounty, which was unexpected from a random and non bounty provider company!

“About the author: Muhammad Julfikar Hyder is a bug bounty hunter and cybersecurity enthusiast. You can follow them on Twitter at @thejulfikar for more security tips and updates on their latest findings.”



Muhammad Julfikar Hyder

Security Specialist at Beetles Cyber Security Limited | Co-founder, @bbcbd_official | Recognized by 100+ prestigious organization