Hello folks I hope you are doing well. I’m a Parag Bagul security Researcher and bug bounty hunter.
This article is based on a 2022 finding in which I discovered the Backup file leak vulnerability on Oracle website which leads to sensitive information disclosure.
While i was exploring this website i found some subdomains
- subdomain enumeration:
subfinder -d oracle.com -o domain.txt
2.Extracting Live Subdomains using HTTPX
cat domain.txt |httpx > active.txt
3.Uncovering Hidden Backup Files:
I found the domain ‘labs.oracle.com’ in the active domains list.
Sometimes, developers save backup files with the subdomain name included, such as ‘test.example.com/test.zip’.
Same scenario in my case After open labs.oracle.com/lab.zip in a browser I found that it was leaking sensitive information .sql files.
So the final tip is Always check every combination Backup files like:
Also check different file extension like zip,7z,tar,gz,bz2,xz
Also check common format of Common names that developers use for a website source code backup in a ZIP file format you can also fuzz them.
Also you can automate this kinds of things with burpsuite intruder,nuclei.
Report date: 08-AUG-2022
Patch date: 09-AUG-2022
Added in Hall of fame : 18-OCT-2022