A cybersecurity researcher named Hamza Avvan, while scrolling on Twitter finds a motivational tweet that inspired him to do some bug bounty. He quickly logs into his bugcrowd account, searched for a comfortable subject within the capacity of his skills, and chose a target (on which he had already discovered bugs earlier).
Initially, he attempted to achieve an open redirection but the server denied the request by displaying a 404 error page as it may have detected another domain in the continue_url parameter. He was knowledgeable about the Java environment served by the server and the parameter pollution, which led him to attempt with the same parameter twice in a single URL. And to his utter surprise, the server only validated his first parameter, ignored the second parameter, leading the researcher to be redirected to the URL in the second parameter without any restrictions.
The researcher believes that it was possible because maybe the developers didn’t consider this scenario while writing the code or maybe they were unaware of Java’s reaction to multiple parameters with the same name. So, this error can help anyone replace the parameter values with duplicate ones.
After all the steps, he successfully broke in and gained user details, constructed a POC and sent it to the regarding authority, and was awarded an amount of $1250 after his status was turned to triaged. This was his first bug bounty of 2021.