Hello Guys! Agent here! Hope you all are doing great. The blog below shows my recent finding on hackerone which was traiged as medium(p3). It was a simple bug yet a dangerous one. So without further ado, let’s jump into the blog.
So last year I got a private invite from hackerone. It was an airline company and a VDP program. I checked the program details and response time and decided to hunt on it. I started my hunting after two hours of getting the invite. After two days I submitted my report. Below is the timeline for the report:
2022-11-25 10:51:05 +0000 - Reported.
2022-12-02 04:47:02 +0000 - Triaged.
2023-01-03 14:07:01 +0000 - Requested Retest.
2023-01-03 14:30:01 +0000 - Completed Retest.
2023-01-03 17:43:33 +0000 - Report Resolved.
It was my first valid bug on hackerone. And I was awarded with two cool badges!
Bug type: Sensitive Information Disclosure through Sent Data.
I found order details of an account, and the most interesting part was that I can gain other accounts order details by just changing the order number. The details included name, order_id, payment_information, persons_name, persons_email and many more things.
How I Found the bug
When I started hunting on the program, I followed my normal recon procedure(you can get my recon procedure in my recon blog). It took a day. On the second day, I began exploring the collected data and while searching for keywords like, username=, password=, admin, id= etc. I came to a URL which was like this:
I Quickly visited it on my browser but It showed a 404 error followed by a 501. But I wanted to get the details, so I played around with it for a few time in hope of bypassing the restriction/error. But all the effort gone in vain. I tried getting the details for more than half a day. I got frustrated and thought of leaving the endpoint, but then I got an idea! Why not check this in waybackmachine?
I pasted the URL in web-archieve and Boom! Got the details!! At this point I was so happy. I quickly made a report and submitted it to the company. The hackerone triager and the company staff was very transparent throughout the report.
If any endpoint gives error like 403, 501, 404 etc, Make sure to check the URL in waybackmachine. You may get some passwords, config files etc. Severity can range from low-critical.
Okay guys! This much for this writeup. Hope you guys enjoyed. Do give your feedback.
Thank you! 💟