Hope you are all doing fine in these critical situations (COVID -19 ).I am doing fine too, cooking everyday besides bug hunting lol!
Never knew I had this cooking talent in me.I guess most of you are feeling just the way I am haha.
Now getting back to work, I am here again to share one of my new findings on a Bug Bounty Program this month.As the report itself isn’t disclosed yet, let us assume the website is https://www.example.com
So, this website is a like an E-commerce website.As I told in my earlier blog posts, I first checkout entire website to get a clear glance of it.I go to each page, see what are all there in each page, click on different links and see how are they being redirect to a different page etc etc lots of things.To put it simple and if this can help you, the following are the ones I concentrate on when I browse to each page in my target website.
Let me put this in a prioritising manner.
1.See if the page is containing any sensitive actions like login etc and then check if that page is hosted under HTTPS.If it is hosted under HTTP,you just got yourself a P3 vulnerability on Bugcrowd. Yayyy!
2.If the sensitive webpage is hosted under HTTPS, try loading the same page under HTTP and see if its goes fine.Again, its a P4 on Bugcrowd.
3.Click on all the links which you feel like juicy and check if they are taking you to an external site.
Let me tell you an example for this:
– If you found a link with a name like “home”,”dashboard”, you know that, these are taking you no where but the same website itself.
– If you see links with names like,“Download it from here”,”Check this out” etc, you might not be 100% sure if these links are of the website itself or might take you to an external website.
Again, its totally intuitive.If you feel its a juicy link, don’t wait – CLICK IT!!!!
So,I did the same that day on my target website https://www.example.com.
I was browsing all the pages, checking HTTPS part, clicking on all the links etc.After like a minute or so, I was on a page which looked interesting to me.Its because, I saw a link with the following name on that page
Download our brand images from here.
As I told, always click on the links you feel juicy.Clicked it.
As I suspected, it took me to an external website , a google drive where you could download all the all their brand images.
After seeing this, I was like…
So, quickly I wanted to see if I had write access to that drive, dragged an image from my pc to the drive annnnnnnd BOOM!
Now I already knew that I found an issue but wait, I don’t want it to be a 50$ or 100$ vulnerability.
So, I checked if it had only images or any sensitive content.Well,there was a folder called “Recordings”.
Again, found it juicy and opened that folder.There were so many Audio files.Opened one by one to check what did they contain and I was like..
All those audio files are internal to the website.They were some kind of call recordings between the website and their users.Some of them were leaking PII info like Name,Phone Number and Address!
There were only around 40 audio files but this, this is big now!
So, I quickly made a report and submitted it to the program and waited for the response.
After 2 hours, I got a response from team saying , they have removed write access to that drive and also removed sensitive audio files in that drive and awarded me a bounty of 200$.
- Submitted on May 2nd
- Patched on May 2nd
- Awarded 200$
Hope you enjoyed this write up.Will be back with another one soon!
Thinking of starting a tutorial series as well!
Until next time, Seeya!
You can always support me through Paypal!