Categories
Bug Bounty

A tale of 2 bugs

[wpseo_breadcrumb]

Finding hidden gems.

This is a story about how I came across 2 hidden gems during my recon phase. I want to emphasize that it hardly took me 20 minutes to find these bugs and they don’t require any interesting “hack”. I just looked at the right place and did the right thing.

If you are a “l33t hax0r”, this write-up probably isn’t for you.

The bugs were as follows:

  • Getting access to private information of thousands of users.
  • From 401 unauthorized to getting access to internal analytics panel.

Introduction

Recently I had received a private invite on HackerOne from a swag-only program. The program had a HUGE scope and i was definitely interested.

So as usual, I started my recon by enumerating subdomains using subfinder and crt.sh and just looking around for something interesting. And finally I came across a subdomain which looked something like this:

https://replace.help.redacted.com

A login page,which looked like an internal portal for employees. It looked juicy and I quickly started poking around by reading the source and JS files, searched Github and Google but it had absolutely nothing interesting.

Next I entered random credentials in the email and password field and clicked “Sign In”. It redirected me to the same page.

https://replace.help.redacted.com/login/visitor/home

But, if you look at the URL closely, you’ll notice the change in the URL. If you truly like to poke around with stuff, you’ll notice the “visitor” sub-directory and try to change it to “admin”. And that is exactly what I did.

And BAMM! Didn’t work. It just threw me a 403 error.

But that error made me wonder what the company was trying to hide. I quickly ran ffuf and directory-bruteforced the path. And in a few minutes, ffuf returned a 200 response on /operation. It gave me the following page:

https://replace.help.redacted.com/login/operation

It had a “Welcome” message along with an email and a name. I quickly clicked on the “search” icon and was shocked to what I came across next.

Yes, that’s right. It had all kinds of return/replace information of products and private data of thousands of people. All this data was real time i.e. it kept on updating every time someone returned their product or filed something for return. I quickly reported it to the program and they took down the endpoint in a couple of hours. Easy win.

Another day, another bug.

The next day, I started where I left off and continued looking for another subdomain. This time, the following subdomain caught my attention:

https://test.product.j1.redacted.com

I did what any hacker would do when a default page is thrown at them. I quickly ran ffuf and while that was running I searched Google and Github if they had anything related to this subdomain (they did not).

FFUF did not return anything apart from the default “/index.html” and a 401 response for the “/statspanel endpoint. Those of you who don’t know, you need valid credentials to access a page which has Basic HTTP authentication enabled.

HTTP Basic Auth

I wondered how I could access the page at “/statspanel“. I tried all kinds of default credentials when it gave me the Basic HTTP authentication prompt. Again. No luck.

Next I thought, why not access this same endpoint with the IP address of this host. And that is exactly what I did. I quickly used the dig command and got the IP address mapped to that host.

Next I visited the same endpoint, but with the IP address. (<IP address>/statspanel)

Internal stats panel

It worked! The page had statistical and other logs of users (IPs, webpages they accessed, etc) who visited the host.

It looked like the developers forgot to add Authentication on the IP for the same endpoint. And I guess it was my lucky day. I reported it to the program and it got fixed in a couple of days.

Takeaway

These were the kind of bugs which scream at you how important recon is in your workflow as well as asking yourself the right questions when a web app presents you with something weird. That’s what I learned when I found these bugs. Also,

  • Try to fuzz and look around a web app when it presents you with something weird.
  • 401 response? Try the same endpoint at the IP of the same host.

Well, that was it for this write-up. It was my first bug bounty write-up (hopefully more to follow). I will also be covering topics like GraphQL or OAuth soon. If there is any topic you want me to cover then drop me a message on Twitter.

If you enjoyed reading this post, share it and leave a response if you have any queries. Be sure to check out my,

Githubhttps://github.com/mqst

LinkedINhttps://www.linkedin.com/in/muqsit-baig

HackerOnehttps://hackerone.com/mqst

DigitalOcean — Get $100 in credit from DigitalOcean and start your bug bounty journey!

Thanks for reading! Subscribe to the mailing list to get notified when new content is posted.


Muqsit Baig

By Muqsit Baig

Cyber Security Enthusiast | Occasional Bug Bounty Hunter | Learner

One reply on “A tale of 2 bugs”

Leave a Reply

Your email address will not be published. Required fields are marked *