SOME BUGS
It's been a while since i wrote anything related to bug bounty or hacking.In that time i have had some interesting and bad experiences with bug bounty programs.from fast responses to scam external programs
I won't be naming/ shaming the programs but soon i will put up a comprehensive list of scam programs to avoid.
Let's talk about some of the bugs;
1.Authentication bypass via path normalization
i was hunting on some match matching/dating site.after finding subdomains via crt.sh and fuzzing the subdomains with a wordlist.i found a login page; min.site.com
I started to fuzz to files with ffuf with a custom wordlist.with no result i looked for sqli but found non.tried response manipulation.again failed
I was about to give up then i click on a png file.deleted the pic.png and got 403 error.using script https://github.com/iamj0ker/bypass-403 on it i could list images on the server!
https://login.site.com/images//
I tried https://login.site.com//
also https://login.site.com%20 worked
2.IIS tilde enumeration vulnerability
While doing Recon on some program i found ip address on censys https://search.censys.io/
It was the famous blue microsoft IIS page.i remembered the most talked about shortname scanner.I fired up the tool and scanned the site.got a few hits as seen below such as downlo_ ,web_1.con
The tool fuzzes for first few characters of the files and extensions.
Downlo_ seemed interesting ,with downlo_ i think you can have a few guesses. i tried download,downloads and got no hits.so i decided to create a wordlist with crunch.with the wordlist i appended common extensions such as .zip,.asp,.aspx,.logs etc
After fuzzing i got a hit. /sitenamedownloads.zip
The endpoint contained a zip file with sensitive information such as usernames, passwords and internal hosts.
The ip was taken down less than 2 hours later.After a day the program replied that the ip was not on their control.i sent them the censys history report but they stated that the report did not contain Proof of concept even after logging to some of their systems.Tried to explain but finally gave up and quit hunting on that scam program.
3.Blind xss on a Trading platform to deanonymize the users
On a trading platform there was an option for comments while paying or receiving payment.You enter bitcoin amount and comments to the buyer/seller.on the comments form i entered blind xss payload and send a test payment request to a random customer i found on waybackurls.
The customer request was in a form of https://site.com/customer/userid
userid was random but it was leaked on waybackurls.
after 10 minutes i got email from trufflehog https://xsshunter.trufflesecurity.com/. checking i found an ip address and cookies.i compared the IP address against mine as the browser could have executed the payload.The IP address was not mine. I did not try the cookies for account takeover as per their policy.i reported to the program and it was fixed
4.Race condition
I was googling for new programs with google dorks.A coding website got my attention.i presumed the site could have many features such as leader boards,playgrounds etc
With many features ,you guessed it more bugs.more bugs more cash
I created an account and while looking at leader boards i saw a user/developer could follow other developers.
I captured the request and sent the request to burp intruder.While looking at the followers count of the developers i found it had increased from 3 to 25.
I tried again but it did not work on another user.what could be wrong?
I then remembered i know someone who loves race conditions.i asked him why i was having false positive on the race condition.He told me to try with a stable connection.so i stopped all my fuzzing tools and used safaricom hotspot. The race condition worked again
5.CVE-2023-38646
While casually going through Twitter(now X by musk) ,i read a tweet about the CVE-2023-38646.It was pre-auth RCE on metabase.it was simple that i decided to fuzz for it on as many companies as possible.Armed with link gopher firefox extension to fetch companies websites,builtwith and a list i always have and update of external programs i fuzzed for vulnerable companies.
The format was: https://site.
ffuf -w /companieswordlist.txt -u https://FUZZ.com//api/session/properties -t 1000 -mc 200 -v
The api endpoint /api/session/properties leaked setup-token which then an attacker could use the /api/setup/validate endpoint
to complete the setup and execute commands.
I found 20+ vulnerable companies.i reported to all of them and got response to some and was fixed.some were vdp ,unforunately some did not get back to me or fixed the issue.
References:
https://infosecwriteups.com/cve-2023-38646-metabase-pre-auth-rce-866220684396
https://blog.assetnote.io/2023/07/22/pre-auth-rce-metabase/
6.keycloakify misconfiguration
This leaked sensitive information such as on keycloakify on 6.x versions.Migrating to the latest version solved the issue
I was preparing to go out but decided why not hunt for at least a few minutes.I google dorked and found an external program ,used crt.sh and https://subdomainfinder.c99.nl/ to find subdomains as i did not want to run scripts.You guessed it there are time consuming.I found only two subdomains.wondering what the main domain could contain i started clicking around. I landed on admin page.With no time for attack ,i right clicked and looked at the source code.removed the photo.png and i did not receive any error.
I looked at the source code and there were sensitive information such as smtp username,passwords,API keys,internal hosts.
using builtwith site i found out the site was running keycloakify.now it's time to fuzz to some vulnerable programs.I took my external program wordlist and fuzzed for endpoints /auth/realms/customer/
I got some hits.reported and realized the few minutes had grown to an hour.but it was worth it!
7.Broken Access control on chrome extension
Comments
Post a Comment