Okay, quick story.
I was doing some bug bounty hunting the other night — nothing serious, just messing around while I had Burp open. I came across a parameter in a POST request: accountID=IN-1. Looked kinda interesting, so I thought why not throw a few payloads at it and see what happens.
So I intercepted the request in Burp Suite and changed the value to
accountID=IN-1'+(select*from(select(sleep(10)))a)+'Sent it, and boom — the server took like 10 full seconds to respond.
Tried again with sleep(5) → 5 second delay.
Then sent the normal value again → instant response.
Repeated it a few times just to be sure and yeah — this was definitely a time-based blind SQL injection.
This felt real. Like, not a lab or a CTF — a real SQLi in a live app.
Wrote a proper report:
- What the vulnerable parameter was
- What payload I used
- Screenshot from Burp
- Response time differences
- Potential impact
- Standard fix recommendations
I wasn’t expecting anything huge, just wanted to get one valid submission under my belt.
Couple hours later I get the message:
“Thanks for your submission. This issue has already been reported by another researcher.”
💀
Yep. Duplicate.
No bounty. No swag. Just sadness.
And the kicker? They marked it P1. So yeah… I wasn’t even wrong. Just late.
Still felt like a W.
This was the Many time I:
- Found something real
- Confirmed it myself
- Understood the logic
- Used Burp confidently
- And actually got the writeup done right
Sure, someone else reported it first. But I wasn’t just guessing anymore — I knew what I was looking at. That’s progress.
You’re gonna get duplicates. You’ll mess up reports. You’ll stare at the screen wondering if you’re wasting your time.
But every time you find something — even if you don’t get paid — you’re getting sharper.
This wasn’t a bounty, but it felt like a level-up.
That’s it. Just wanted to share.
If you’re learning bug bounty too, let’s connect. Would be cool to chat with others on the same path.
Still chasing my accepted report… soon, hopefully 😄