My story began with a typical assessment of the program's scope. Luckily all of the in-scope subdomains were listed on the program’s page which eliminated the need for subdomain enumeration. After browsing through the available subdomains, I settled on a single one which piqued my interest. I shall refer to it as https://asdfasdf.redacted.com for obvious reasons. I already knew that the program heavily relied upon Microsoft IIS, having fingerprinted the website technologies using wappalyzer chrome extension.
Accessing https://asdfasdf.redacted.com revealed a login form with a user id and password field. A user was required to provide these values in order to…
While assessing a target web application for impactful vulnerabilities, a useful check to conduct might be looking through the waybackmachine to discover URLs that have existed on the target over time. These might expose critcal functionality that could then be tested for bugs. This happened to be the case for a bug bounty target i was hunting on.
A user could reset their account password through the following endpoint. https://api.redacted.com/v3/users/resetToken?email=foobar@gmail.com
While doing recon, i like to automate the process of finding URLs using waybackurls. …
Often companies deploy third-party applications to store various media content. This content is usually in various file formats such as images, documents, Html, JavaScript, SQL. Etcetera. During my engagements on bug bounty programs, it isn’t uncommon to find references to Amazon AWS S3 buckets that are disclosed in various places of the web application such as the website source code, or through a particular operation such as a file upload.
RESPONSE
200 OK“Successfully uploaded to s3://testbucket/profilepicures/user/fancy_avatar.jpg”
These buckets can also be found using the google dork; “site:s3.amazonaws.com” “target.com”
It is also not uncommon to find that these cloud storage…
Google Dorking seems an often under-appreciated technique in a bug bounty hunter’s arsenal when assessing a target web application for vulnerabilities. A Google dork query, sometimes just referred to as a dork, is a search string that uses advanced search operators to find information that is not readily available on a website.
Google Dorking, also known as Google hacking, can return information that is difficult to locate through simple search queries. That description includes information that is not intended for public viewing but that has not been adequately protected. Reference here https://whatis.techtarget.com/definition/Google-dork-query
I recently came across an interesting google dork…
A story of DOM XSS in Mail.ru
It wasn’t till a year of joining the HackerOne platform that I actively started hunting for bugs. At the time, I was completely new to the various server and client-side bug classes that were being reported daily to programs on the platform. Amongst the vulnerabilities being disclosed at the time, Cross-Site Scripting, commonly known as XSS seemed like a very popular one that a lot of hunters were going for. …
Two day’s after submitting my report for a critical Server Side Request Forgery bug i found on a program — https://medium.com/@mase289/a-tale-of-my-first-ever-full-ssrf-bug-4fe71a76e9c4, i woke up to an email alert notifying me that my XSS hunter payload had been triggered on one of the target’s subdomains.
Blind XSS vulnerabilities are a variant of persistent XSS vulnerabilities. They occur when the attacker input is saved by the server and displayed in another part of the application or in another application. For example, an attacker injects a malicious payload into a contact/feedback page and when the administrator of the application is reviewing the feedback…
After a couple of weeks of futile pocking and probing at web applications on some public programs, I decided to take a break and come back to it with a refreshed mind. In this article, I shall explore a Server Side Request Forgery vulnerability that gave me unrestricted access to the program’s Instance metadata environment. This bug could have disclosed the program’s Aws access keys to an attacker. This has been my most interesting finding to date since embarking on my bug hunting journey.
I was looking through the HackerOne program directory for a target to hack on when I…
My story begins after a long day’s work at the company under which i am employed. As was usually the case every evening, i opened up the ride app on my mobile device and ordered a ride back home. After i arrived at my destination, i noticed that i had been overcharged for my trip so i tried to reach out to support. On navigating to the support interface within the app, i was greeted with the following error message.
Note that i have redacted the domain in question so the message was something like “No help desk at redacted.zendesk.com”.
…
