NOTE: The company’s policy states that a researcher can only go to the minimal amount of testing required to prove that a vulnerability, so I don’t want to try accessing the passwd file or any other sensitive file that isn’t already public. I also tried example.com/dir1/dir2?nextPage=google.com but it seems to check if the URL is local so that doesn’t work. Would what I found be considered directory traversal?
I don’t see why you accessing a restricted resource would be bad. Deleting resources, modifying them, posting them publicly, etc… Would be be bad. What the company means is that once you find out that you can indeed get a restricted resource, then you should stop and not keep exploring or cause damage. In your case, you haven’t even gotten a restricted resource yet.
I think you’re on the right track with your mindset in where to search, but I believe what they mean by “minimal amount of testing” refers to things like RCE. If you prove you can get RCE, you shouldn’t get a reverse shell on the system and pivot internally, dump sensitive information, etc. It’s more obvious things, but just doing ../../../etc/passwd is not considered going too far. I’ve seen dozens of reports that proved they can access /etc/passwd and never have I seen a company get upset over it or claimed that a researcher went too far. Have you tried other things like LFI, RFI, or SSRF? Anytime you see a next, page, nextPage parameter, try SSRF as well, since the application is pulling from resources internally and those are a lot of times dynamic parameters.