A Infinite Loop Story.

Ashish Kunwar
Aug 29, 2018 · 2 min read

Note: i have already covered this vulnerability previously 2 times on my blogs so you can check that out.

Now , I will just go straight to the point.

I was in My bugcrowd account, Roaming Through Programs, and with my previous experience with Redacted.com program.

I thought why not give it a try, after all i had really bad reputation then.

So i opened the subdomain.Redacted.com as it was in scope , soi took a moment looking at “Wappalyzer”, and i found nothing more than this

Bulls***

my eyes shifted towards the url and saw “.jsp”

“ https://example.Redacted.com/dir/dir/public/SomethingHere.jsf

and i was like

Wohoo!

It Reminds of my previous Finding (i did writeup on)

Next Step

I made a small custom dir file base on my previous encounter .

Dir.txt

web-console , admin-console,…. so on

and ran it with dirbuster

I thought it was running tomcat but i was wrong , i remember from my previous reports that they are using some “IBM web app” .

and found a strange thing

/web-console/ is doing

302 redirection.

so i opened it in browser.

And found that,It kept redirecting me to infinity..

Redacted few things.

So as of my previous two encounters on two different programs and turn out to be valid

“So far i think that path confusions leads to this vulnerability.”

where web application confuse where to go next and hence result into Infinite Loop.

Note: If i m wrong and anyone can explain better , you are welcome

All i found is a CWE-835, which says

“An infinite loop will cause unexpected consumption of resources, such as CPU cycles or memory. The software’s operation may slow down, or cause a long time to respond.”

So i reported and turn to valid and BugCrowd Rewarded me 100$ and 5 points

References:

https://dxploiter.blogspot.com/

Again My DM is open everyone

Thank you for so much love and support.

Peace out :-)

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store