To The Point Version:
I found my first bug by doing recursive directory bruteforcing on target and found PHP info page after 3 directories.
Whole story:
We always remember the first bug that we reported to a platform, right? All the hard work and sleepless nights and the pain of submitting duplicates over and over again. The journey full of sweat that we had to complete landed at the first triage.
Well, none of that was true in my case (sorry for your disappointment 🙁 ) rather my journey was unique and funny in that sense. So, I was in a meeting with one of the vendors at my workplace at that time. It was related to some application performance monitoring tool and the vendor was clicking UI and showing what I could have known by simply browsing the applications. I was getting hell-bored in the meeting.
To deal with my boredom, I decided why not just casually scan their website and see what they really think of security. It can help us in making a decision whether they follow checkbox compliance or really care about their platforms, and customers eventually. If they have low-hanging fruits that any automated scanner can get, then I have my answer.
So, while their sales team was giving their flawless presentation. I open my terminal ran dirsearch with the default flags and 100 threads.
python dirsearch.py -u https://www.target.com/ -t 100 I was happy that nothing big came up at first instance and there were no big red flags for this vendor, but sad that I didn’t know how to survive the rest of the demo call. While I was going through the results I realized that there was an endpoint called /blog.
I thought why not scan this directory as well, and maybe it has something interesting. When I did that I find out there is another directory /blog/author. Now my interest got peaked, and I start going aggressive on the scanning.
I explored dirsearch and came up with some custom flags. TBH i didn’t understand each flag completely, but just ran as it felt appealing to my eyes 😀
python dirsearch.py -u https://www.target.com/ -b -r -R 100 -t 100 -e phpTo my surprise, I got PHP configuration page publicly accessible at /blog/author/admin/phpinfo.php .
I then reached out to their PSIRT email distro after some OSINT and was happy to see that they have private program on Hackerone where they invited me. And that’s how I made my account on Hackerone. 😀
They were happy to accept my finding and triaged it as Medium severity and rewarded with 250$ bounty.
Hi, this is a comment.
To get started with moderating, editing, and deleting comments, please visit the Comments screen in the dashboard.
Commenter avatars come from Gravatar.