Posts

Showing posts from May, 2016

That Moment When You Find Authentication Bypass Vulnerability In Bug Bounty Program ?

Image
One whole year has passed, since I joined bug bounty program on various platforms and all I could find was hand full of XSS, XFS,CSRF,CRLF Vulnerability with 2 to 3 logical bugs  and about millions of duplicates...

22nd Dec 2015 Evening I started looking for sub domains of a website that was newly introduced to bug bounty program. After fingerprinting all domains I found a unique domain in which was hosted on IIS Server & running ASP.Net technology at back end. Nmap Scan gave me the version of server & technology. Web Application was running on Windows Server 2003, Microsoft IIS 6.0 with Microsoft SQL Server 2005. That was too old for 2015 technologies, so I go OLD School on one of the parameter of page for search for SQL Injection.


I injected a Quote and in few seconds I received a SQL Error. Now I was sure the SQL Vulnerability was present in this sub-domain. As It was a sub-domain the severity of the bug was less so my main job was to find as many unique sql bugs in the we…

Old School Source Code Disclosure Vulnerability

Image
On May 2nd I started a revaluation of web application for a client. While doing revaluation I found out that they have added some more functions in web app, I started exploring the new features of app every things look fine as they where all static HTML page then suddenly I came across a file "filedownload.php".

Now, my first step was to spider this branch that I did with help of burp suite & the full link was "http://site.com/filedownload.php?file=E:\netpub\vhosts\www\httpdocs/journal/welcome.pdf"

The Path Of Application was disclosed : E:\netpub\vhosts\www\

Then, I simply run the link "http://site.com/filedownload.php?file=" on my browser & I Received a error message from server that :
"ERROR: download file NOT SPECIFIED. USE forcedownload.php?file=filepath"

The moment I saw that error I remember it may be old school GHDB type file download vulnerability so, now I have to check for two type of Vulnerability :
1. LFI - Local File Inclu…