My First ever blog about a web application vulnerability.
Hello my fellow bug hunters and security enthusiasts. My name is Vedant, I’m from India. I’m a computer engineering student and a beginner in bug bounty and Infosec community. I’ve learnt so much from the community and continuously learning new things day by day. I am writing this blog to give something back to the community.
This blog is about my recent critical finding on a Responsible Disclosure Program, since the bug is not patched yet so I’m calling the target as dummy.com , so let’s dig in…
So as always I was using google dorks for finding new targets. I used one of the dorks from https://github.com/sushiwushi/bug-bounty-dorks/blob/master/dorks.txt this list, and I picked a target which looked somewhat interesting to me.
Vulnerability Description :-
I found a repository which leaked PII (Personally identifiable Information)of all the users.
Little bit about the target :-
So the target was a dummy.com , from dummy.com we can order food and beverages. This site had option to create account and all the typical functions which are present in e-commerce sites. And the main thing was site had *.dummy.com scope.
Recon Time :-
So whenever I see * in scope , first thing I do is subdomain enumeration. So I fired up my terminal and I used Assetfinder by Tomnomnom(https://github.com/tomnomnom/assetfinder) and crt.sh to enumerate all the subdomains. Unfortunately site had only 7 subdomains 😞 😟 but I didn’t give up by seeing that. Then one subdomain caught my attention it was feedback.dummy.com . Since this site was like a e-commerce site I thought people must have given some feedback about food quality and so on ,so I thought is it possible to access other people’s data?🤓
The Discovery :-
I once read in a blog about a tool called Dirhunt(https://github.com/Nekmo/dirhunt).Dirhunt is a tool which is used for directory bruteforce, since feedback.dummy.com looked intresting to me I decided to directory bruteforce hoping to get something sensitive.I thought let’s just give it a try and I fired up dirhunt and typed the necessary command ,
dirhunt https://feedback.dummy.com/
After some time I saw that dirhunt found some interesting files and all of those files had .CSV extension , I was like…
I quickly opened up the link that dirhunt showed as an interesting file and I was surprised…. That was an upload directory and it had so many .CSV files which contained all critical information about the users such as email, address, transaction details and so on… I was like..
I quickly reported that and after 2 days I got response from them saying, this is a valid finding we we’ll fix it and once it is fixed we will add your name to our hall of fame list
I was not able to score my first bounty there but it was Okay, I learned something new..😁
