Often companies deploy third-party applications to store various media content. This content is usually in various file formats such as images, documents, Html, JavaScript, SQL. Etcetera. During my engagements on bug bounty programs, it isn’t uncommon to find references to Amazon AWS S3 buckets that are disclosed in various places of the web application such as the website source code, or through a particular operation such as a file upload.

RESPONSE

200 OK“Successfully uploaded to s3://testbucket/profilepicures/user/fancy_avatar.jpg”

These buckets can also be found using the google dork; “site:s3.amazonaws.com” “target.com”

It is also not uncommon to find that these cloud storage…

Google Dorking seems an often under-appreciated technique in a bug bounty hunter’s arsenal when assessing a target web application for vulnerabilities. A Google dork query, sometimes just referred to as a dork, is a search string that uses advanced search operators to find information that is not readily available on a website.

Google Dorking, also known as Google hacking, can return information that is difficult to locate through simple search queries. That description includes information that is not intended for public viewing but that has not been adequately protected. Reference here https://whatis.techtarget.com/definition/Google-dork-query

I recently came across an interesting google dork…

A story of DOM XSS in Mail.ru

It wasn’t till a year of joining the HackerOne platform that I actively started hunting for bugs. At the time, I was completely new to the various server and client-side bug classes that were being reported daily to programs on the platform. Amongst the vulnerabilities being disclosed at the time, Cross-Site Scripting, commonly known as XSS seemed like a very popular one that a lot of hunters were going for. …

Two day’s after submitting my report for a critical Server Side Request Forgery bug i found on a program — https://medium.com/@mase289/a-tale-of-my-first-ever-full-ssrf-bug-4fe71a76e9c4, i woke up to an email alert notifying me that my XSS hunter payload had been triggered on one of the target’s subdomains.

Blind XSS vulnerabilities are a variant of persistent XSS vulnerabilities. They occur when the attacker input is saved by the server and displayed in another part of the application or in another application. For example, an attacker injects a malicious payload into a contact/feedback page and when the administrator of the application is reviewing the feedback…

After a couple of weeks of futile pocking and probing at web applications on some public programs, I decided to take a break and come back to it with a refreshed mind. In this article, I shall explore a Server Side Request Forgery vulnerability that gave me unrestricted access to the program’s Instance metadata environment. This bug could have disclosed the program’s Aws access keys to an attacker. This has been my most interesting finding to date since embarking on my bug hunting journey.

I was looking through the HackerOne program directory for a target to hack on when I…

My story begins after a long day’s work at the company under which i am employed. As was usually the case every evening, i opened up the ride app on my mobile device and ordered a ride back home. After i arrived at my destination, i noticed that i had been overcharged for my trip so i tried to reach out to support. On navigating to the support interface within the app, i was greeted with the following error message.

Note that i have redacted the domain in question so the message was something like “No help desk at redacted.zendesk.com”.

…