How Getting Stuck Led Me to a $3,XXX Bounty: The Recon That Almost Meant Nothing

Hi everyone,
I’m Aditya Shende (aka Kong) from India -a bug bounty hunter, biker, and cybersecurity researcher . As July is my birthday month so expect one more good article for your research

You’re reading my 15th article and if you spot a typo… just roll with it. Let’s dive in!

Training people in bug bounty and helping them grow in cybersecurity has been an incredible journey and have trained more than 14,000+ Individuals and I’m proud to say it’s been 6 years of running Kongsec Bug Bounty Training! The bug I’m about to share came from a wild experience. I was walking my students through a recon technique on a small-scope domain with very limited functionality. While demonstrating, I stumbled upon user tokens from a hybrid chatbot. Turns out, I could impersonate users in live chats and after a bit more digging, I was able to access previous chat histories that exposed sensitive KYC info, PII, and even invoices.

Got stuck ?

In this article, I’ll break down how I approached the hunt, what steps I took when I got stuck, and what you should do when your hunt feels like a dead end. And hey if you’re still stuck after this, it probably means it’s time to go back and read a few of my earlier writeups to warm up!

I check following while hunting which is basic what everyone do (I guess)

Here’s a basic outline of what I recommend doing for each single domain during recon. This is not exhaustive, but it covers solid fundamentals:

1. Subdomain Enumeration: Use tools like Subfinder, AltDNS, DNSX, CRT.sh, etc., to gather all associated subdomains.
2. Dorking: Focused only on finding additional subdomains using queries like site:*.*.*domain.com -www

Basic Dork

1. Wayback Data: Tools like Waymore and Waybackurls help pull historical URLs and categorize them (e.g., .js, .xml, .txt) for deeper analysis.

Web archive example for URLs

1. URL Analysis: Feed the main domain into platforms like URLScan and VirusTotal to discover related URLs and artifacts.

1. GitHub Recon: Default recon includes looking for API keys, secrets, and path leaks using GitHub dorks.

1. Trademark Word Checks: Many websites have copyright text in the footer, e.g., "Copyright © 2025 Dell Inc." – use this to pivot searches.

1. Shodan: Use specific queries to find exposed services and ports: (Examples)

• Exposed MongoDB Databases:
  port:27017 country:"YOUR_COUNTRY_CODE"
• Misconfigured Jenkins Instances:
  "http.title:Dashboard" "jenkins country:YOUR_COUNTRY_CODE"
• Unsecured VNC:
  "RFB 003.003" port:5900 country:"YOUR_COUNTRY_CODE"
• Open RDP Services:
  port:3389 country:"YOUR_COUNTRY_CODE"
• Exposed Redis Instances:
  port:6379 country:"YOUR_COUNTRY_CODE"
• Insecure FTP Servers:
  port:21 country:"YOUR_COUNTRY_CODE"

1. Additional Shodan filters to leverage:
   http.component_category, http.component_type, http.headers.server,
   http.headers.www-authenticate, http.status, http.html_hash,
   ssl.cert.subject.common_name, ssl.cert.fingerprint,
   ssl.cert.issuer.common_name, ssl.cert.serial_number,
   ssl.cert.subject.country_name, ssl.cert.subject.organization_name,
   ssl.cert.subject.organizational_unit_name, ssl.cert.validity,
   ssl.chain_count, ssl.cipher.bits, ssl.cipher.name,
   ssl.cipher.version, ssl.get.version, ssl.has.rc4,
   filename:exports, ssl.heartbleed.status, ssl.protocol, ssl.version
2. JavaScript Recon (Nuclei): Filter .js files from Wayback results using httpx -ct | grep /javascript, then run Nuclei with the exposures tag to find secrets or key leaks.
3. Subdomain Filtering: I prioritize checking subdomains that return HTTP status codes 404, 403, 401, 301, 302 before moving to 200 OK ones. Most of time domain which shows 401,403 can be used for dorking to get exposed data — site:*.cdn.domain.com -www
4. CDN/Cloud Asset Recon: For third-party hosted content, try dorks like:
   site:s3.amazonaws.com ext:pdf "Company Name" "IBAN"
   The more specific words you add, the better the results.

1. Burp Proxy Domains: Don’t just stick to the scope filter in Burp. Monitor all traffic — sometimes you’ll catch unknown domains not found through tools.

Example : Do not filter “Only in scope items” You will get gems

1. Parameter Discovery: Use JSminer, ParamMiner, and GAP to discover hidden or interesting parameters.
2. Postman Recon: Look for public Postman workspaces with exposed variables or credentials that can be misused.

1. Fuzzing: Do recursive fuzzing especially on subdomains responding with 301 and 302 status codes.
2. Tech Stack Awareness: Understand the backend stack. If it’s using ASPX or a specific framework, tailor your wordlists and attacks accordingly. Avoid using random wordlists.

1. Netlify Nuclei Templates (Low Priority): Use the Nuclei Netlify UI to filter and run specific tech-stack focused templates (e.g., Wordpress) to map easier attack vectors.

Hack what you know and this is a basic process to understand your target. The one should spend more time in Recon where you will be confident about target more than its employee

Even after all that effort, nothing major landed on my plate. But I did collect some useful stuff — tokens, React keys, secrets, map API keys, API endpoints, base URLs, and more.

At first, it felt overwhelming. There was so much data, and digging through random API documentation just added to the confusion — no working curl commands, no solid exploits. But here’s the thing: always save that data. It might not click now, but one random night, you might just wake up with an idea, it works. Happens more often than you’d think. Following was the data what I was able to gather and some tokens were (They are so guessable that you will find it easily so masked it). But again no idea where to use so as usual I started relying on burpsuite active scan .

I started looking for filters in burpsuite sitemap and I did not changed the filter for “Only in Scope Items” and one domain caught my mind which was bit similar to amazonaws domain which I found in recon but this with with some weird response which was saying it works on WSS and some basics

Small scope usual and some other domains which are not aim

Then I started checking WSS logs in burp and found the following

/PROD?token=V

And then I started reminding things which I got in recon and same domain which was exposing some detail like this ->

I added all token , secret which I found in recon to check if it responds or not and then I got access to previous chats , current chats , Invoice ID and it values and data

I began exchanging tokens and accessing previous chat sessions, which made it clear that anyone using this chatbot was vulnerable to this specific attack path. I scaled the testing across multiple instances, reached out for permission to report it legally and it paid off with a solid bounty.

I mentioned $3,XXX specifically because this was one of the highest rewards I’ve received for a single issue.

Thanks for reading stay tuned for my birthday article dropping this July!