This is the story about my fastest Bounty which I got on Hackerone Platform.This happened about 1 year ago ,when I got a Private Invite from Showmax. Program is now Public
Showmax
Showmax is an online subscription video on demand (SVOD) service which launched in South Africa on 19 August 2015.
Vulnerability
So As ususal I started Enumerating the Subdomains And Fired up Sublist3r.I got some domains and started testing them.
One domain that Caught my eye was SSO.showmax.com.
On sso.showmax.com there was only a login form.
When a user entered wrong logins he/she was shown a failure message.This message parameter was vulnerable to XSS and injection issues.
https://sso.showmax.com/auth/failure?message=PAYLOAD&strategy=ldap
TakeAways
~ Test every Parameter you get
Time-Line
May. 9, 2017 → Initial Report Sent on H1
May. 9, 2017 → Triage within 10 mins
May. 9, 2017 → Fixed within 10 mins
May. 9, 2017 → Bounty Awarded