Hello Guys! Agent here! Hope you all are doing great. The blog below shows my recent finding on hackerone which was traiged as medium(p3). It was a simple bug yet a dangerous one. So without further ado, letβs jump into the blog.
Intro:
So last year I got a private invite from hackerone. It was an airline company and a VDP program. I checked the program details and response time and decided to hunt on it. I started my hunting after two hours of getting the invite. After two days I submitted my report. Below is the timeline for the report:
2022-11-25 10:51:05 +0000 - Reported.
2022-12-02 04:47:02 +0000 - Triaged.
2023-01-03 14:07:01 +0000 - Requested Retest.
2023-01-03 14:30:01 +0000 - Completed Retest.
2023-01-03 17:43:33 +0000 - Report Resolved.
It was my first valid bug on hackerone. And I was awarded with two cool badges!
Vulnerability Information:
Bug type: Sensitive Information Disclosure through Sent Data.
I found order details of an account, and the most interesting part was that I can gain other accounts order details by just changing the order number. The details included name, order_id, payment_information, persons_name, persons_email and many more things.
How I Found the bug
When I started hunting on the program, I followed my normal recon procedure(you can get my recon procedure in my recon blog). It took a day. On the second day, I began exploring the collected data and while searching for keywords like, username=, password=, admin, id= etc. I came to a URL which was like this:
https://www.comoany.com/somedirectory/somedirectory/v1/order/id/alphanumericorderid?origin=second-detail
I Quickly visited it on my browser but It showed a 404 error followed by a 501. But I wanted to get the details, so I played around with it for a few time in hope of bypassing the restriction/error. But all the effort gone in vain. I tried getting the details for more than half a day. I got frustrated and thought of leaving the endpoint, but then I got an idea! Why not check this in waybackmachine?
I pasted the URL in web-archieve and Boom! Got the details!! At this point I was so happy. I quickly made a report and submitted it to the company. The hackerone triager and the company staff was very transparent throughout the report.
Conclusion:
If any endpoint gives error like 403, 501, 404 etc, Make sure to check the URL in waybackmachine. You may get some passwords, config files etc. Severity can range from low-critical.
Okay guys! This much for this writeup. Hope you guys enjoyed. Do give your feedback.
My Socials:
Twitter: https://twitter.com/Agent472458.
Thank you! π