How I Discovered Over 40+ Impactful Vulnerabilities Within 1 Hour, Just for Fun!
Hello, I’m Takshal, aka tojojo. I hope you all are doing well. Today, I’m excited to share my journey of finding more than 40+ impactful vulnerabilities in a well-known bug bounty platform public program within just one hour. In this article, I will Deep dive into my approach of findings multiple vulnerability in a program.
Recap
My story begins a few months back when I wasn’t actively participating in bug hunting on any platform. My past experiences with a popular platform had left me disheartened as my reports were often marked as not applicable or informative, leading me to doubt my skills. Consequently,I preferred hunting on private internet programs. However, a few days ago, I had a conversation with my friend Nitin, who was actively hunting on a similar platform. He shared a similar story of discouraging responses. while searching for program to show my skills to our batch, i went through a program that is running on bug bounty platform and having wild card scope in it.
Recon
1.Subdomain enumuration — Assetfinder,CT logs(ctfr)
2.content Discovery — FFUF, Waybackurls
3.Probing/Live host — Httprobe
4.search engine dorking
Methodology
Let’s Jump into main part, we will refer our target as “*.abc.com”, After having recon,I jump into some interesting subdomains(stage-dev.abc.com,staging.abc.com,api-staging.abc.com),where i found an endpoint labelled infoType=”DATA SET” and ID=”1234". My initial thought was to test for SQL injection, but it didn’t yield any results because they have implemented some kind mitigation for both sql and xss we can defiantly try to bypass this but i have to check other endpoint as well so i move on.
Further investigation revealed that the website used the “.cfm” extension, which indicated “ColdFusion Markup”. Recognizing this, I decided to attempt a Directory Traversal attack, and it turned out to
be successful. Although I continued to explore the subdomain, my efforts didn’t lead to more endpoints using FFUF. Resorting to “waybackurls”, I got some new additional endpoints.
In which my main focus encountered on these two endpoints: “Register.cfm and Login.cfm”. I decided to register an account and leveraged Burp Suite to experiment with the register parameter. which lead to the discovery of several stored self XSS vulnerabilities, to escalate this further, I found an interesting parameter which is vulnerable to insecure direct object reference(idor) which is responsible for giving the profile information of other user. My curiosity persisted, prompting me to investigate further,I speculated that if the website updated information based on the ID parameter, a SQL injection might be possible. My SQL injection payload on the ID parameter yielded success.
Additionally, I explored other available user information, uncovering high-privilege roles. By registering with the “administrative=true” parameter, I managed to attain admin privileges. My exploration also unveiled another IDOR, PII leak, and a critical action CSRF vulnerability.
In total, I identified over 20+ security issues, including SQL injection, ATO (Account Takeover),Priv esc, XSS, CSRF, and PII leaks.I continued my google dorking search for more subdomain on the same program. My pursuit led me to “fs.xyz.abc.com.” While attempting to access this subdomain,I was redirected to a login page. I initiated directory brute-forcing and performed Google dorking, revealing access to certain documents and text files.
This exposure lead to the discovery of yet another PII leak and configuration file information.Driven by curiosity, to further investigate on the target more could be achieved with portal access. A simple attempt with the credentials “admin:admin” resulted in an invalid login error, with a cheeky prompt to register.Following this, I registered and explored further parameters, uncovering additional IDOR, CSRF, and XSS vulnerabilities.
After sharing my experiences with my friend, he was impressed by my parameter observation skills. He encouraged me to participate in bug bounty programs, but I smiled and explained that I didn’t want to jeopardize my self-confidence or risk burnout. I expressed my contentment with hunting on private websites.
The moral of my story is simple: Engage in thorough reconnaissance, gather abundant information, and meticulously experiment with available parameters.
Happy hunting tojojo!
