A Infinite Loop Story.
Note: i have already covered this vulnerability previously 2 times on my blogs so you can check that out.
Now , I will just go straight to the point.
I was in My bugcrowd account, Roaming Through Programs, and with my previous experience with Redacted.com program.
I thought why not give it a try, after all i had really bad reputation then.
So i opened the subdomain.Redacted.com as it was in scope , soi took a moment looking at “Wappalyzer”, and i found nothing more than this
my eyes shifted towards the url and saw “.jsp”
“ https://example.Redacted.com/dir/dir/public/SomethingHere.jsf”
and i was like
It Reminds of my previous Finding (i did writeup on)
Next Step
I made a small custom dir file base on my previous encounter .
Dir.txt
web-console , admin-console,…. so on
and ran it with dirbuster
I thought it was running tomcat but i was wrong , i remember from my previous reports that they are using some “IBM web app” .
and found a strange thing
/web-console/ is doing
302 redirection.
so i opened it in browser.
And found that,It kept redirecting me to infinity..
So as of my previous two encounters on two different programs and turn out to be valid
“So far i think that path confusions leads to this vulnerability.”
where web application confuse where to go next and hence result into Infinite Loop.
Note: If i m wrong and anyone can explain better , you are welcome
All i found is a CWE-835, which says
“An infinite loop will cause unexpected consumption of resources, such as CPU cycles or memory. The software’s operation may slow down, or cause a long time to respond.”
So i reported and turn to valid and BugCrowd Rewarded me 100$ and 5 points
References:
Again My DM is open everyone
Thank you for so much love and support.
Peace out :-)
