My first Critical on hackerone with a $6,400 bounty — SQL Injection

Tengku Arya Saputra
3 min readAug 12


Photo by pentest-tools

Hello everyone, introduce my name is Tengku Arya Saputra(Follow my Linkedin) on this occasion I will tell you how I found a security hole with a very critical vulnerability level on one of the bug bounty platforms HackerOne.

in the bug bounty program owned by a security company ****, I found it on the cloud subdomain, which is the most important domain on the company’s website, with which I was rewarded $6,400 by *****.

The first step I did was try to visit the link https://cloud.****/ after that because I did not have access to login I would register on the SignUp page.

The next step I registered by registering my email address [username]

After successful registration I was directed to fill in the information as shown below

after completing the filling, I pressed the next button and saw the data recorded from burpsuite.

I am interested in the endpoint https://cloud.****/****/****/****/dnt?level=standard&region=gcp-us-central1 after that I tried to connect it with the repeater menu on brupsuite, in the picture below it can be seen when I send a request to the server it looks normal

but the response changes when I give a single quote on the region paramater will display the server response which is 500 internal server error, can be seen in the image below

Here I use the SQLmap automated tool to make it easier to bypass the server information dmns back-end DBMS: ****.


An attacker can manipulate the SQL statements that are sent to the PostgreSQL database and inject malicious SQL statements. The attacker is able to change the logic of SQL statements executed against the database.


Report — July 26, 2023

Change To Triaged — July 27, 2023

Respond Staff **** — 1 Agust, 2023

Retesting a bonus — 2 Agust, 2023

Reward Bounty — 8 Agust, 2023

Resolved — 8 Agust, 2023



Tengku Arya Saputra

Penetration Tester || Cyber Security Analyst || Cyber Security Enthusiast