Introduction

HackerOne organizes this yearly team-based live hacking event where hackers from all around the world team up based on their locality and compete against each other. This year they organized the third edition of the Ambassador World Cup.

The targets for this event were Amazon, SuperBet, and Mercado Libre. The qualifier round of this event lasted from May 28, 2024, to June 7, 2024.

Luck favors those who keep fucking around

I was in team India 5. Luckily, I, Mukul (@itz_mg_) and Burhan (@burhan__xd) were already hacking on Amazon and Mukul had already found some really impactful bugs on it. Mukul and I were on the same team, and we were really happy that we got the same target in this event.

Mukul, with his exceptional asset discovery skills, suggested some good sub-domains for me to focus on. I started hunting on them, and they really looked promising. I found some informational issues that could have been chained with other bugs to increase the impact, but somehow things were not clicking for me. Although the application looked vulnerable, I couldn’t find anything on it. I tried finding some auth issues, but I kept on failing. This was getting really frustrating as I have a job and knew that I wouldn’t be able to spend a lot of time on this. So, all I had was the weekend to push as much as I could and find something substantial. Finding surface-level bugs was difficult, and it was a bit time-consuming to get to deeper level features. So, I changed my strategy.

Go Big or Go Home

I decided to focus on something that could be of critical impact because I didn’t have a lot of time left. So, I started focusing on the Login With Amazon functionality. This is similar to any OAuth functionality that you might have encountered in the wild. Amazon provides a similar functionality where its various products can use amazon.com as an Authorization server to authorize clients on its behalf. This is used in a lot of their products, like amazon.jobs. I started reading whatever docs I could find for this functionality and started experimenting with this on my test accounts. On the side, I was also reading this gold mine for OAuth issues by @fransrosen. I tried to replicate every attack vector mentioned in the blog, but I failed miserably. By Sunday evening, I was quite disappointed. I really wanted to submit some bugs but couldn’t find anything. This really impacted my motivation.

Reflection: What went wrong?

So, what went wrong? There are multiple areas that I can focus on and improve.

  • The most important thing, according to me, is having a strong work ethic to sit down and hack with complete focus. I have found this to be hard for me. I am easily distracted, which made the limited time I had even less.
  • Be more persistent. When I hit a dead end, it really demotivates me. I give up easily and switch to other stuff. But I think this mentality is wrong. I lack the obsessive mentality some hackers have because they are naturally very curious. I am not someone who is very curious, but I think I can work on it and improve it. All I need to do is be in that frame of mind for so long that it becomes natural to me. This is only possible when I put in the hours every day without thinking about the results.