Hello, my name is Miguel Alves. I’m 21 years old, I’m Portuguese, and I work as a pentester and red teamer. 

Since I was a child, I’ve been hugely curious about the intricacies of how things work. I remember being enthralled by robotics as early as 11. Soon after, I was tearing away at laptops, separating each piece to understand its components. When I was 16, I decided to turn my curiosity into a career and started down the path of hacking. The first vulnerability I ever discovered was on X, formerly known as Twitter.

Unfortunately, the platform did not consider it an impactful discovery. Although this was discouraging, I was not deterred from learning more and mastering my craft. I took a break from bug bounty hunting to focus on improving important hacking fundamentals and to narrow in on my methodology. 

Two months ago, I jumped back into hacking, and I chose to restart my journey on the Bugcrowd Platform because of its active and collaborative community, fair rewards, well-known customers, and unique features, such as Request a Response. Because I took the time to learn and practice new hacking skills, I quickly found my first P1 (critical) vulnerability with Bugcrowd on the Assa Abloy Americas. 

The letter of a lifetime

Currently, I hack in my free time, with the purpose of perfecting my skills and deepening my knowledge. My goal is to one day create an effective automated system for finding vulnerabilities and reporting them to the platform. After that, I want to build a solid portfolio of vulnerabilities and establish a reputation as a top hacker. It has always been my dream to be invited to a live hacking event. 

As a big step toward my goal, I recently found a vulnerability on the NASA VDP engagement. If exploited, this vulnerability could have led to a particularly malicious attack through NASA’s website. According to Leslie Cahoon, Agency Vulnerability Management Lead at NASA Headquarters, “NASA works with security researchers to protect our infrastructures and our greater mission to advance space exploration. Security researchers help us by pointing out vulnerabilities that may not have yet been identified, contributing to an improved security posture.”

The vulnerability in question was an open redirect. This bug would have allowed a malicious hacker to redirect an authenticated user to another website in the NASA application. Typically, when a malicious hacker uses this technique to redirect a user to another website, the website is usually unsafe in nature. When people or entities experience a phishing attack, session hijacking, or malware attacks, open redirects are often at play. 

The open redirect vulnerability I found on NASA was very similar to other bugs I’ve found; it’s a very common bug. Because I had spent a significant amount of time learning and practicing finding common bugs, I was able to swiftly apply a learned technique. It was my first time employing this technique, and I was so excited to see it work and lead to an impactful discovery. 

Shortly after identifying and safely disclosing the vulnerability to the NASA VDP program, I was rewarded a recognition letter from NASA showing their appreciation.

My methodology

During my analyses, I identified one parameter responsible for redirection. This parameter presented itself in a POST request I had launched. 

I took a number of approaches at testing redirection. Through that, I was able to quickly learn that by altering the GET request while keeping the parameter in the URL, I could manipulate the redirection flow.

Due to privacy and security concerns, I am unable to disclose my work with NASA, but I simulated what occurred during the process of identifying this open redirect vulnerability. 

While I was listing some of the application endpoints, I identified the “url” parameter in a POST /launch request.

A simple redirect from a POST request is not generally a hugely impactful vulnerability. I needed something bigger to deliver an impactful finding to NASA. The POST request was in the form of GET/rocket/new request. From there, I tried to pass the endpoint “url” in the same GET request through a malicious domain, where it was possible to verify that it was being reflected in the same answer.

When I filled in the form and sent it to the server, it was then possible to confirm that the value entered in the “url” parameter was being included in the application’s POST request, making it possible to redirect the user to the malicious URL. This happened very quickly—as soon as the server responded.

I even tried to increase the criticality by exploring a Reflected XSS in the same parameter, but it wasn’t possible because the input was being filtered by html encode in the backend.

Future plans

With the discovery of this vulnerability for NASA, I was inspired to explore other similar programs. I noticed a new scope added to the Assa Abloy Americas program, a program I had had my eye on for a bit. It wasn’t long before I found my first P1 vulnerability with this program too.

For so long, I had dreamed of finding a vulnerability for NASA, and I finally achieved that dream this year. With this accomplishment under my belt, I am now working toward numerous other goals. Following my successes with the NASA and Assa Abloy programs, I’m most excited to focus on SpaceX/Starlink. This program piques my interest because of the intriguing work the company does and its potential future developments. I intend to add this program as a potential new target.

Concluding thoughts

In my experience, Bugcrowd is an exceptional platform that unites thousands of unique companies from different sectors and offers huge opportunities to hackers. What makes Bugcrowd even more special is the concern each member of the company shows for hackers and the value they place on community feedback. 

It was on the Bugcrowd platform that I found my first bugs, and more recently, acquired my first bounty. I’ve always heard, “The first bounty is never forgotten.” Indeed, being rewarded for my effort and dedication to finding vulnerabilities was an exceptional and unforgettable experience; I’ll never forget how proud I felt.