Hello Security Researchers
In this write-up, I want to share with you a finding that I discovered in a public bug bounty program that ended up paying me 1K just using a single command on the terminal
I won’t be able to disclose the name of the program since the leak was huge and they are still merging all the previous algorithm they used before to a new one and the deprecated API is still reachable
The program exist in Hackerone in more than a decade with big names on them, I was familiar with the services they offer since I was a user so I started to enumerate subdomain where I noticed a weird link that may actually hold sensitive data since they are parsing everything in URL path so my first approach was checking the waybackurls since Tomnomnom
has a very unique tools I used it as follows
waybackurls requests.redacted.com
I was surprise with the amount of URLS that belongs to users with the tokens and I was like no way they’re valid right ?!
Guess I was wrong, I went to the API page and it looks like a simple POST request with the link leaked and a simple data via curl can do the Proof Of Concept using something like this
I tested in my own env and sent the report right away, It got paid under few days and the team started the fix
Takeways #
- Never say that this program has a lot of know hackers and I won’t find a thing
- everyone has it’s unique approach to a target and you may see something that other didn’t