hunting

Earned $4,000 – Critical Vulnerability in Bug Bounty Hunting

26 Aug

Subdomain Enumeration

Subdomain enumeration is not always my go-to strategy; I typically start with the main application. However, for this target, I used tools like SubfinderFindomain, and Assetfinder to gather a comprehensive list of subdomains.

To remove duplicates, I relied on the famous anew tool by TomNomNom, followed by httpx from Project Discovery to identify active subdomains.

Pro Tip:

Once you’ve listed all subdomains, tools like Eyewitness

Understanding Application Logic

Understanding the business logic of an application is critical for successful bug hunting. For example:

  • E-commerce Apps: Look for vulnerabilities in payment, pricing, and checkout processes.
  • Ticket Booking Platforms: Analyze functions like ticket creation, sharing, and reservation management.

For this target — a ticket booking app — I studied its core functionalities, keeping an eye out for weak spots that could disrupt business or compromise user data.

esting Application Functionalities

Once I understood the app’s workflow, I began testing the ticket creation and registration link features. Here’s what I did:

  1. Injected payloads like '><svg/onload=confirm(1)> in fields such as nameemail, and description during ticket creation.
  2. Generated and tested the public registration links to verify whether my payloads triggered stored XSS (cross-site scripting).

Initial Findings:

  • Multiple XSS vulnerabilities surfaced but were duplicates of previously reported issues.

 

The Big Discovery

While exploring the admin functionalities, I stumbled upon a button labeled “EXPORT YOUR CUSTOMERS”, which allowed exporting customer data as PDF or Excel files.

By intercepting the export request in Burp Suite, I found the following POST request:

POST /FileGenerator/user/ZAZZ-SDFSSDF-ZERZE-QSDFQSF  
Host: test-domain-h1.app.com  
Cookie: ....  
{  
  "UserID": "ZAZZ-SDFSSDF-ZERZE-QSDFQSF"  
}

Exploit Strategy:

  • The response returned a fileID that was later used in a GET request to fetch customer data.
  • By incrementing the fileID value, I gained access to other customers’ data, including:
  • Full name
  • Email address
  • Zip code
  • Phone number
  • Address

This vulnerability exposed sensitive information worth thousands of dollars on the black market!

Impact:

The application, valued in the billions, had a critical IDOR (Insecure Direct Object Reference) vulnerability. I promptly reported the issue and received a $2,000 reward.

Leave a Reply

Your email address will not be published. Required fields are marked *