Security bugs aren’t always flashy. Sometimes, you don’t need to pop a shell or find an RCE to make an impact.
Sometimes… all you need is a little curiosity and a lot of recon.This is the story of how I stumbled upon an exposed origin IP at XYZ, India’s largest stock brokerage, and how that led to an unexpected ₹XX,000 bounty — all without writing a single exploit.
☕ It started with a late-night recon session…
Like most bug bounty hunters, I was doing my usual late-night stroll across a domain — XYZ’s public-facing assets.
WAF? Cloudflare.
Endpoints? Mostly locked.
But I had a hunch.
Out came Shodan, my favorite search engine for all the things you shouldn’t see.
One quick dork later:
Ssl.cert.subject.CN:"domain.com" 200And boom — I landed on an IP:11.1.111.11
An Amazon EC2 instance quietly serving traffic… and not a trace of Cloudflare in sight.
🧠 “Wait… is this really accessible?”
I typed in:https://11.1.111.11/login
It loaded.
No 403. No timeout. Just a clean login page staring right back at me.
I double-checked with tools: no WAF, no CDN headers, and the cert? Signed for domain.com.
Bingo.
🤔 But is it a bypass?
Here’s where it got interesting. XYZ uses Cloudflare for protection — rate limiting, WAF, DDoS, the works.
But this subdomain — sub.domain.com— wasn’t behind it.
At first glance, that might seem like a non-issue. Maybe internal, maybe forgotten.
But to an attacker?
It’s an open door.
Direct origin access means you can:
- Bypass rate limits
- Fuzz without detection
- Brute force at full throttle
- Even launch DDoS attacks — because there’s no shield in place
And it all stems from one thing: security misconfiguration.
📬 The response that made me smile
I reported it privately through ComOlho, their bug bounty platform.
Soon after, XYZ got back:
“Hey Swarnim, we discussed this internally… it’s not behind Cloudflare for some internal reasons. But because of your report, we’re now discussing whether to fix it. Please repost publicly — we’ll process your bounty.”
I wasn’t expecting a big payout — just happy they took it seriously.
But then…
₹XX,000 dropped into my account.
No exploit. No shell. Just impact.
💡 What I learned
- Bug bounties aren’t about breaking things — they’re about finding things that are broken.
- Even “boring” bugs matter — origin IP exposure can change the threat model completely.
- If it feels too quiet… dig deeper — sometimes the loudest vulnerabilities whisper.
🚀 To all bug hunters out there…
Don’t chase just the CVEs.
Don’t underestimate the power of recon, curiosity, and context.
This was one IP. One misconfiguration.
And it paid off — literally and figuratively.
Thanks, XYZ. And shoutout to platforms like ComOlho for making security collaborative and rewarding.
Time to go hunting again. 🔍💻
If you liked this story, give it a 👏 and share it with fellow hackers.
Stay safe. Stay curious.
— Swarnim Bandekar