Hello infosec community! I’m back again to share an interesting finding with you. Little bit about me, my name is Vedant and I’m a bug bounty hunter/ethical hacker for about 4 months now. And I love what I do. So back in July I decided that in August I’ll focus solely on “Recon”. I always wanted to up my recon game. On 1st August I rented a VPS and started to install some Recon tools. I installed all the necessary tools for subdomain enumeration, content discovery, parameter discovery etc.
Enough of the backstory, lets understand the bug.
One day I started looking for some responsible disclosure programs and got a program. The program had *.target.com in scope so I decided to do some recon on the target. First I enumerated all the subdomains using subfinder and amass and combined the output of both tools. Then I used another tool called as httpx for probing and saved the output in a txt file. After that I used a tool created by projectdiscovery team called as nuclei and I used the following command,
cat final.txt | nuclei -t path/to/nuclei-templates/vulnerabilities -o results.txt
After some time I got some results and there was a subdomain vulnerable to microstrategy ssrf and the URL was as following,
At first I tried for an open redirect by changing srcURL parameter to bing.com but it wasn’t redirecting. Then I tried for SSRF and again it wasn’t working. I thought its just a false positive.
Then after some time I just googled for the word Microstrategy and got to know that it is some kind of company which provides cloud based services. So just for curiosity’s sake I searched for “Microstrategy vulnerability” and after some time I got link to a medium blog which was about a SSRF vulnerability and in that blog there was exact same url that I found! So I read the blog and understood that srcURL parameter only takes tiny URLs and that’s why it wasn’t redirecting me. So I made a tiny url for https://bing.com and put it in srcURL parameter and it redirected me to bing.com! I tried for SSRF but there wasn’t a SSRF because site was redirecting me and it wasn’t fetching data from external url. To increase the impact I looked for a XSS hosted page and after some time I got it and made its tiny url and again pasted it into srcURL parameter and the XSS executed successfully! I was very happy.
I quickly wrote a good report and sent it to the company. After 4–5 days I received a response from them saying “Thanks for reporting this issue” and they rewarded by adding me to their security researcher’s “Hall of fame”.
Even though I didn’t get any bounty for reporting this issue, I learned some new things and most importantly I learned the power of “Recon”.
If you have any doubts regarding this write up you can reach me here.
Hope you liked this finding. Stay home, stay safe. Thank you!