How To own Hackerone Hacktivity page and earn new badge [NotFixed]



Automation is one of the amazing methods to do some undesired actions or penetest a web application, it is so good to relax and watching a bot make actions in your behave this article will show you how to perform automation by explaining the one performed on hackerone at the begging of September .

before every thing , if you think this may waste your time or you are not interestted in reading more , you can simply download the script and run the following command vote up on your reports

python download yourreport_id

Hi ,
To those who know or do not , i think no one does not love automation , i will talk about it and explain in details how i controlled hacktivity page on hackerone and set olx reports to be the most popular with higher number of votes using 1k of bots.

What is automation ?

First what goes in your mind when you hear ‘manually’ , it is mean done by human hands, right!.
So automation is these actions made by other things but not humans , it is done by bots , robots , computers or zombies .
According to wikipedia : is the use of various control systems for operating equipment such as machinery, processes in factories, boilers and heat treating ovens, switching on telephone networks, steering and stabilization of ships, aircraft and other applications with minimal or reduced human intervention. Some processes have been completely automated.

We will focus in our main point , Automation on web services .

So if you want to automate a web application , on what does that depend ?
the main factor on automation on wep application is rate limit , if a website does not implement a rate limit , you can automate it easily , there are other factors , but you can bypass it .


– Understand of how the target works .
– Specify the action you want to make.
– Technique to use to make some undesired actions .
– Bypass baffles like csrf session and rate limit if exists .
– Some bots ‘Optional depends on the target and action required’
– An automation tool , or programming knowledge


Let’s get in to our example , Hackerone is the most popular bug bounty platform , i scanned their website , and i admit i could not find anything interesting so i decided to play with their system and i found many weakness by chance.

Earlier before i requested to disclose a bug that resolved by olx , they accepted to publicly disclose it , and i decided to make it the most popular , i began investigating what i need to do that .

Understanding How hackerone works

1- i scanned hackerone many times , found nothing they protected against common issues like XS, sqli and RCE ,on 25 August i discovered hackerone already protected against CSRF , but fortunately their tokens is not secured 100 % , they considered their users , but did not conisder their system .

What i need and what i should do ?
My main goal is to increase the votes on certain report , their hacktivity page has two tabs the main is popular reports and the second for the newest reports .
i need more accounts to vote , it is hard if not impossible to do it manually , i started to create a new account and intercepted the request and found that it could be used to create unlimited number of accounts .

We need about 500 ids because the most popular report on hackerone is RCE found on pornhub with 280 votes so we just need 282 but hackerone consider other factors like date of disclosure and bounty so i decided that 1K is good enough ,Then we need to make these bots vote on the required report .so i need to understand the process of login and post requests submissions for making real action to program my bots to make same processes .

Bypassing baffles
Hackerone does not prevent users from multi registration , any one can own a huge number of registered accounts.
no rate limit was performed by Hackerone , this will not stop us.

Creating bots

Hackerone allows any email address on registeration process , this can help me using disposable mails like YOPMAIL , my friend Saed hashem suggested to use aliases of email ,that mean you can use [email protected] to register first account and then adding a single dot or plus in the email , and hackeone will consider it another different email and you can register new account with the same email by using an alias of dot or plus anyway i used yopmail and i have my reasons.

Start attack
Once you understood the target and how it works , specified an action , created some bots , prepared your tool , you can start the attack .

Let’s Begin

The first step i made was to first create the bots , i must tell you this was a mistake , because you might spend hours and weak your connection on creating bots manually or automated , you then find that real actions may be limited and you can not automate it , but fortunately i was lucky that were no limits and my attack is possible .

I navigated to registration page on hackerone and filled my details , submitted the form and intercepted the request..


[code lang=”html”]
POST /users HTTP/1.1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.7; rv:48.0) Gecko/20100101 Firefox/48.0
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
X-CSRF-Token: oueE yECJPxFdAPJA8d70WvAfz0NoITWJ/RlQN Sg2sZBkKpnvDLtf8rIaTq09DTAOBHNxB61sHFWnVQ/ruenQ==
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 189
Cookie: __cfduid=d7742669d928f93669b15d43eac71c1f71473642918; __Host-session=NDlwM2FPZmp3aCtJbVJ3Vy9zK3VmQUVodGt6VStuTXVodk80WjVmMFlPV2FUS3RpL3cxRVFTT0VlVzdYMERWaVE2MENwdHkvbW8vT0JwNjZoeUYzYkEyUHFPU0g4ZDdINjBWdU9RQ1pYY1V4RlB2MzVjVWRsWVRYSXloSXFmdHhQVUtYeU9od0hhTFF6NGMvek5UR3p2aFZqVldEZ0dDRkFqMzRkeWxpT0lkODYyS0Y0Rk5RbkpsNVExcXhyVEFzLS1WWWZhenJKbldVNjh3RmpkMjdHenVBPT0=–ebbc2bea1b093f0d24bff6f257b7ce5a38460f44; _ga=GA1.2.1002285040.1473642950; _gat=1
Connection: close

user[name]=thisismyname&user[username]=thisisusernamex&user[email][email protected]&user[password][email protected]#QWE&user[password_confirmation][email protected]#QWE


And the response was


[code lang=”html”]
HTTP/1.1 200 OK
Date: Mon, 12 Sep 2016 01:22:01 GMT
Content-Type: application/json; charset=utf-8
Content-Length: 46
Set-Cookie: __Host-session=blah
Connection: close




Now we have created an account with a username=thisismynamexx and [email protected]
So to create a new account , you have to change the username and email , regardless to other parameters , I did it immediately and it was accepted.
It is very cool, you can set burp intruder and tell it to change the username and email and you can make more than 5 Ids/sec , let’s make it :

We got a problem , internal server error occurred , this is not a rate limit , but this due to more requests at the same time like race condition ,We should sleep some after each request , it is not a big problem , but we can not handle it using burp so , let’s make it using Python


[code language=”python”]
import requests,time

_headers_ = {
"User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.7; rv:47.0) Gecko/20100101 Firefox/47.0",
"Accept": "application/json, text/javascript, */*; q=0.01"
,"Accept-Language": "en-US,en;q=0.5"
,"Content-Type": "application/x-www-form-urlencoded; charset=UTF-8"
,"X-Requested-With": "XMLHttpRequest"
,"Referer": ""
,"Cookie":"__cfduid=d1cdfc0b504bd870dc94c5509a2f41bd71472917466; _ga=GA1.2.1635264352.1472917475; __Host-session=anhEcDkzOVVwYWxDL2pVSTJ3NTZWeHFVUzhTTzVHbDNzK1lQUWl3eG53Q0xyNHdLY3Y5aHJsQnl4VUNtSjI4OWx6bFozRDZDcFBRQVlXdjBsMXpaUEFNR3ZpTFV6c1NVU2s0TnBvMFhVZTAxWEVyUXVQT2FDSExUNjFZQW16UG1IWWlxaE9Zd0h1SFNmKytFWW52eG81N0xqWTh1QW16bS9leThwME1sQXllWE00bHJCN2NqNTlMN3pWckN2eXFULS1qcFJoTW1SSVF6VkVVQXllT1QwUy93PT0%3D–94bd223fffd82f1c61b2d03cc2f0be5ac1f3b93a; _gat=1"}

_url_ = ‘’
#now we have the headers

for i in range(0,1000):
pas=’[email protected]#QWE’
while isregistered == False:
if okbody in r.text:
print ‘success ‘+username


Let’s explain the code :
1- We import the requests module , Amazing module for HTTP
2- Disabling warnings
3- We collected all headers in a dictionary
4- the url we used in registering
5- if registration succeeded , the response body will contains this value
6- Begin the loop to create 1000 accounts
7- building the username we will use , every loop the i increase and changes the username , pas is the password .
8- Data is equal to the request body we will send in the request , email is built using [email protected]
9- This variable will help to retry if a registration failed once , and to make sure all i values used and all ids are registered successfully.
10- Starting the condition to make sure the registration succeeded .
11- Sending the request
12- Check if the response body contains the ‘successful registration message’
13- Checking if registration succeeded it will continue registration , if it failed it will wait 5 seconds and retry again with the same username .
14- When registration succeeded it will wait 2 seconds to prevent internal server errors occurrence.

It is ok , Now we registered the bots , but Hackerone asks for activation so we need to g to yopmail and start clicking all links associated with each account we registered .

I already created more than 1200 Ids and activated all of them , i did not try to automate this process , because Yopmail implement a security captcha , even i used it manually i was being blocked for sometimes , but with a few research i found it could be automated 😀 .

You have your army now , created your bots , activated them , let’s kill some .

Before launching bots , we need to program them to do some undesired actions , so you need to understand how Hackerone works , we need to simulate the login process first , discover how a real action is made .

The first thing is to clear all your cookies , start login , do some actions and watch what is happening and how it done .

First i requested the login page , then filled my credits and submitted the request , Hackerone logged me in and redirected me to the hacktivity page and i finally voted for a random report .
You see many requests , we just care only about login requests and voting request .

Most of these requests is not valuable , we need the most interesting requests to ask the bots to do the same , after reviewing the request , i kept these

I cleared my cookies many times and retry to make the same process , every time i fail by deleting one of these 6 requests , so all of them are required except the last one it is a real action you can replace it with any other action since it use the CSRF token .

By analyzing these requests from the last to the first i discovered the following :

1- Last action ‘Voting’ is made using the csrf token sent in response of request 4 and the session cookie value sent to request 5
2- Request 5 is made to ask hackerone to send a valid CSRF token for real action , using session cookie value sent to request 4
3- Request 4 is made to init session , using cookie sent to request 3
4- Request 3 is made to check if user credits are valid or not , using cookies sent to request 2.
5- Request 2 is made to ask hackerone for starting login process , using first cookies
6- Request 1 is made with no cookies , mad speciffically to get first cookies from Hackerone

So our scenario for bots
1- We send an empty request to ask hackerone for some cookies [GET].
2- Using these cookies , and requesting login process [GET]
3- Sending bot username and passsword with cookie sent in stage 2 [POST]
4- Resending the username andd password with cookie sent in stage 3 [POST]
5- Asking hackerone for real action CSRF Token [GET] with cookie sent in stage 4
6- Using CSRF token and last cookies sent , and perform any real action , like voting or submitting random reports

We have the bots now , and we have the scenario :

##Using this will allows you to :
– make your own report the most public one.
– Get the badge of most popular report on feeds [you should have at least one report].

I ran my script twice and it was noticeable by all hackerone users and H1 Team , so they had to clear what i did , the first one i made OLX reports the most popular and H1 Dropped about 1200 valid ids , the second time with YELP reports and the quickly dropped about 800 ids , do not worry making bots is easier than you think.

##Automation Process
– making bots

1- register a gmail with length of 30 chars [the max length] ‘The more it is long the more bots will be generated’.

2-Extend bots “it is the time to use SaeedHashem Trick”
We have the following script:

run it
insert the gmail you have just made .
the script will output more than 400 gmail aliases , copy these ids and save them to myids.txt

now the time to register all these gmails.
we will use this script
run it
Hit enter as next next , Chose from file and insert ‘myids.txt’ the file you created.
and choose a password or hit enter for default one .

The script will now register all these ids . and save the output input_.txt whatever the name remember the file contains the ids should be with the following format

so can get the valid ids easily.

Now we need to activate all these emails , i did not try to automate it , playing with yopmail is hard due to recaptcha , and i did not try to do with google, so i will make it manualy

log in to your gmail , you just used.

you will find more than 400 activation message.


1-open the first 100 message.
2-Activating hackerone id is so , simple you just need to GET /the_activation_url , with out any cookie,session,login,pass,blah , just click the link and close when it is loaded even you are logged in with another account.
3- then delete the message from gmail , make sure you do not delete all the 100 messages.

4- and do the same with another one.
5- Deleting a message every time , decreasing the 100 messages by one , to know which links you clicked and avoid duplicates.

Now bots are ready , remember the file we saved the ids:password to .

Launch the bots and enjoy
python your_flle Your_report

Get The Badge 😀


Please enter your comment!
Please enter your name here