How I Found a Vulnerability in Paytm and Received a Bounty
Hello everyone, this is Umair Farooqui with a new experience about how I found a vital security issue on the Paytm platform and, in turn, became a bounty hunter with earnings of 13,000 INR and an appreciation letter from the company — step by step: My Adventure.
Enumeration of Domains
Starting from the enumeration phase of the project, I did in-scope domain enumeration for Paytm using Subfinder and Assetfinder. Wherein I came across:
https://ondc-seller-reg.paytm.com/login
Prototype 1
The API responses kept coming in JSON format. Now, placing unwanted special characters and some byte codes in the ref_url parameter results in changing the response of the API; it is now reflected in plain text rather than in JSON.
Preparing the Attack
Noticing this potential weak spot, I went to the page with the payloads specified on the PortSwigger XSS Cheat Sheet and copied all of them. Then, I used Burp Suite’s Intruder function and pasted them in, setting the scope for where to inject the payloads.
When I launched the attack, I received some responses in HTML format. Initially, after trying many payloads, I was not able to bypass the firewall.
This is the Burl request I eventually decided on using:
POST /login HTTP/2
Host: ondc-seller-reg.paytm.com
Referer: https://ondc-seller-reg.paytm.com/
Content-Type: application/x-www-form-urlencoded
Accept: application/json, text/javascript, */*; q=0.01
X-Requested-With: XMLHttpRequest
Content-Length: 222
Accept-Encoding: gzip,deflate,br
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36
ref_url=1<h1>A new offer from paytm make a payment of $200 to 100%25 win brand new car <a href=https://poc.umarifarooqui.com>Make%20Payment</a></h1><img src=https://poc.umairfarooqui.com/hacker.jpg><!--Reporting the Vulnerability
When I saw that it was quite an easy vulnerability to find and didn’t take much time, I realized that the duplicate. Not wanting to waste more time, I reported the vulnerability to Paytm. Shortly, I got an email confirmation from the team acknowledging the report. They said that as there are so many reports coming up, any duplications and out-of-scope reports will be closed automatically without intimation.
Proof of Concept (POC):
https://poc.umairfarooqui.com/paytm.html
Note: On a visit to this POC URL, it raises a request to Paytm with the payload and pops up an HTML-injected message. But this was patched, so now it will show no message.
YouTube Video: POC Video
Waiting for Response
I waited for the usual seven-day waiting period but did not get a response from Paytm. Thinking that the issue was being ignored or had been marked as a duplicate, I moved on.
Favorable response
A week or so later, I was pleasantly surprised to receive an email from Paytm. They finally accepted that the issue that I reported was genuine, and that they were working on a fix.
Further Testing
Feeling confident by this response, I ventured out further for testing. I threw several WAF bypass XSS payloads to sneak through this firewall. Eventually, one of these worked, and I could trigger the XSS.
Final Report and Reward
I updated that ticket with the new details of the XSS vulnerability. After going through those details, Paytm rewarded me an amount of 13,000 INR and sent me an appreciation letter for responsible disclosure.
Here is the appreciation certificate that I received:
Overall, this has been one of the most significant learning experiences throughout my journey as a security researcher; it underlined the importance of good testing and responsible disclosure. I thank Paytm for their professional response and acknowledgment. This journey has been enriching, both intellectually and financially. Thank you for reading. Comments or questions: feel free to ask. The discovery and contribution of making this digital world a more secure place!
