My first Critical Bug

• Hello everyone this is my first writeup in medium.
• I am a cyber security student.
• I like to learn new things in cybersecurity field, and want to improve myself everyday.
• I recently participated in Bug Bounty Programs
  I usually forget to look at the scope of program 😅,because of which all the vulnerabilities I report to program was considered not applicable 💔.
• Recently I enrolled in a program(example.com),and I started my usual path of finding subdomains and if I find some interesting domain,then I will do directory brute forcing on it.
• Then, I found example.com/admin directory and I saw a login page.
• I used default credentials to login into it and it was not successful.
• Then, I looked into the source code and then I did not get anything useful until i noticed javascript file link in the bottom of source code.
• It was like example.com/admin/xyz/jQuery.js.
  There was no useful information there , but then I tried to move one directory back (example.com/admin/xyz), and it was 403 page.
• I moved another directory back(example.com/admin), and I saw the dashboard.
• I was admin, even without logging in as one.
• If I directly try to access example.com/admin, it asked for a password, but, if I repeated the previous steps,it did work and I was admin again.
• I did not know why it was happening, and I reported it to program.
• It was my first Critical bug, and I was excited.
• As usual, it was out of scope, and it was tagged as not applicable:-):-).
• I decided to not repeat this anymore, and will find more bugs in future.
• If you know why the application behaved in this way, and why did this security flaw happened, or if you want to contact me,

Ping me here http://twitter.com/abhishek3141Pie