Is the database talking to you?
Add a single quote: '
If the page breaks (errors), try:
' AND SLEEP(5)-- -
Pro tip: Use sqlmap only as a last resort. Running sqlmap on a live production site might get your IP banned. Test manually first.
The classic "Change the number in the URL" bug.
How to find it:
Go to your profile: site.com/profile?user_id=1001
Change it to 1000. If you see another user's data: Bounty. bug bounty masterclass tutorial
Masterclass Tutorial Action:
The next morning, Julian returned to the simulation. The takeover was a good start, but it was a low-severity payout. Viper had reset the environment.
"Lesson Two: Forget XSS (Cross-Site Scripting) for a moment. Look at the business logic. Companies care about money, not just code."
Viper directed him to OmniCorp’s e-commerce platform. It was a sleek, modern site where users could buy digital credits. Is the database talking to you
Julian spent three hours reading the JavaScript source code on the checkout page. He didn't look for injected scripts; he looked for how the data was handled. He noticed a parameter in the API call when he added an item to the cart: "price": 50.00.
He tried changing the price to negative values. The server blocked it. He tried changing it to zero. Blocked.
"The backend has validation checks," Julian muttered.
Viper’s message flashed: "Validation is usually a straight line. Try a curve." The code is secure, but the logic is stupid
Julian thought about the race condition. What if he sent two requests at the exact same millisecond? He fired up Burp Suite, a proxy tool used to intercept web traffic. He captured the request to purchase credits. He set up a "Parallel Attack," sending the exact same request 50 times simultaneously.
The server struggled to process the concurrency. It checked the balance for the first request—it was valid. But before it could deduct the balance for the second request, the third and fourth hit the database.
His screen refreshed. His account balance, which should have been empty, was now overflowing with credits. He had bought $1,000 worth of credits for $10.
"That is a Business Logic Flaw," Viper typed. "Impact: High. Payout: High. You didn't hack the code; you hacked the traffic."
The code is secure, but the logic is stupid.
Example: A shopping site gives you 100 points for signing up. You can redeem 500 points for a $5 gift card.