Welcome to Day 3. I found 3 Vulnerabilities, but I will be reporting 1 only.
I came across an endpoint with a redirect parameter, the plan was to exploit this into an XSS attack, leading to an account takeover, but there was a problem:
As you can see, it is an “invite only”, meaning I cannot confirm whether the parameter is exploitable, only thing I can do is move on.
I moved onto my next target and things didn’t go according to plan, for whatever reason, I was greeted with the following page:
Receiving such a response from the Program’s main domain is an odd thing, I only come across such in abandoned subdomains which made me think that there’s a chance I’ve been blocked due to my automation, but that’s just a theory.
I then spent hours evaluating targets, seeing which ones were worth my time and not. I finally set my eyes upon a target endpoint, I went to the account creation URL, and it looked familiar, the URI matched one of my previous reports, but the difference between the two is that this endpoint has no parameters. Furthermore, I decided to use Burp’s “Param Miner” to find any hidden parameters, and it worked, the parameter discovered was “error”, I applied my XSS methodology onto it and nothing worked, but something did work, it wasn’t an XSS but “content-injection” which so happens to be out-of-scope therefore I decided not to report this bug.
The second vulnerability was an AWS S3 Bucket that allowed anyone with an AWS account to read the bucket’s contents (Broken Access Control/Misconfiguration). What made me not report this vulnerability is the fact that I found no sensitive data within the bucket and based on my experience — triagers love closing it as an informative, ignoring the fact that sensitive data might touch the bucket in the future. I’ve gotten a $500 bounty for this vulnerability on a program that managed itself, their reasoning was that even if I found no sensitive data, there’s a chance an admin might upload something sensitive not realizing everyone can read into the bucket.
For the final bug, I will have to not talk about it until I’ve reported the bug, I do not want to violate any policy, but I’ll leave you with these reading materials to give you an idea.
There’s something I realized today, I think my greatest fear as a hacker is investing all my time into a target and not seeing the fruits of my labor in the end, I know it’s an irrational fear and I think I’m not the only Hacker who has the irrational fear, I’d like to prove this idea wrong by investing all my time into a target program I discovered today, and we shall see how it goes down the line. Overall, it was a good day, had a lot of fun.
See you tomorrow❤
