How recon helped me to find an interesting bug…

Hello infosec community! I’m back again to share an interesting finding with you. Little bit about me, my name is Vedant and I’m a bug bounty hunter/ethical hacker for about 4 months now. And I love what I do. So back in July I decided that in August I’ll focus solely on “Recon”. I always wanted to up my recon game. On 1st August I rented a VPS and started to install some Recon tools. I installed all the necessary tools for subdomain enumeration, content discovery, parameter discovery etc.

Enough of the backstory, lets understand the bug.

Read and learn

Recon phase:-

cat final.txt | nuclei -t path/to/nuclei-templates/vulnerabilities -o results.txt

Discovery phase:-

https://something.target.com/MicroStrategy/servlet/taskProc?taskId=shortURL&taskEnv=xml&taskContentType=xml&srcURL=

At first I tried for an open redirect by changing srcURL parameter to bing.com but it wasn’t redirecting. Then I tried for SSRF and again it wasn’t working. I thought its just a false positive.

Then after some time I just googled for the word Microstrategy and got to know that it is some kind of company which provides cloud based services. So just for curiosity’s sake I searched for “Microstrategy vulnerability” and after some time I got link to a medium blog which was about a SSRF vulnerability and in that blog there was exact same url that I found! So I read the blog and understood that srcURL parameter only takes tiny URLs and that’s why it wasn’t redirecting me. So I made a tiny url for https://bing.com and put it in srcURL parameter and it redirected me to bing.com! I tried for SSRF but there wasn’t a SSRF because site was redirecting me and it wasn’t fetching data from external url. To increase the impact I looked for a XSS hosted page and after some time I got it and made its tiny url and again pasted it into srcURL parameter and the XSS executed successfully! I was very happy.

I quickly wrote a good report and sent it to the company. After 4–5 days I received a response from them saying “Thanks for reporting this issue” and they rewarded by adding me to their security researcher’s “Hall of fame”.

Even though I didn’t get any bounty for reporting this issue, I learned some new things and most importantly I learned the power of “Recon”.

If you have any doubts regarding this write up you can reach me here.

Hope you liked this finding. Stay home, stay safe. Thank you!

I’m a self learner, New in bug bounty and Infosec community