I’m Prakash, a part-time bug bounty hunter since my bachelor’s days. Initially, I hacked applications just for fun and excitement. Later, I was happy to secure the online world as a digital warrior and earn some money. That’s what bug bounties are all about.
Usually, I don’t use platforms like HackerOne or Bugcrowd because there are a lot of people securing those sites. Also, a bit selfishly, I’d get duplicates even if I reported the most critical issues in seconds. Recognition and rewards are very important in this journey as a bug bounty hunter to stay motivated.
I used some Google Dorks to find bug bounty programs like before and then found one program which I had hunted before, let’s call it example.com. I started with my initial reconnaissance, used Wappalyzer and BuiltWith to see if any new technologies were implemented than before, and gathered subdomains using the tool I built, which scrapes subdomains using the most famous and complicated tools. To my surprise, there were a lot of subdomains, in the thousands. To filter those, I generally use some online tools to filter out 200ok, 300x subdomains or any live subdomains. Later, I started using httprobe and httpx for this, and using httpx, I filtered subdomains and still found 700+ subdomains. So, then I divided the subdomains using status codes. I segregated them using status codes and found only 40-50 in 200x and 400-450 in 300x status codes, and the rest were in 400x and 500x.
So, I decided to start with 400x and then 300x and finally 200x. Initially, I tried to see what endpoints were available in 400x. If the page was not for us, I used ffuf for directory listing, which I enumerate some directories which I have access to, and then used waybackurls, to find out any previous endpoints which are accessible to us. Unfortunately, nothing worked, and I tried for a day with other methods as well for testing 400 status code subdomains, visited each subdomain and checked the tech in those and whatever is suspected, used nikto to find out any loopholes in that. If those are asking for credentials, used default credentials and used hydra to brute but nothing worked, and I went to sleep that day a little disappointed.
The next day, I started with 300 status code subdomains, doing the same things I did the previous day. But today, I found some endpoints giving 200 status code on those 300 status code subdomains, which were interesting. I found a few inputs but all were static, nothing seemed to work out, and I used other techniques as well to filter unique 300 status codes subdomains because there were hundreds, using length filter, word counter filters in httpx but gathered some endpoints and tested but still nothing worked out, and I went to sleep disappointed that day.
The third day, I started with 200 status code subdomains. Now, here these would require a lot of time because each domain has a lot of functionalities, a lot of inputs, and a lot of operations being happened here. So, I looked at the subdomain list to find the one for me initially. To my surprise, I found a new subdomain which I hadn’t seen last time, that is community.example.com. I quickly copied it and went to see what’s there in it. It’s just a community engaging site, and there are a lot of posts regarding example.com, some codes, comments, blogs, code commits, etc. We can also engage in those discussions after logging into example.com. There is a login functionality, and when I click on login, it is using example.com’s single sign-on. Well, I got interested to see that raw and intercepted using BURPsuite and then I found that it is fetching the token from example.com to community.example.com and sending the token to the value in the parameter called UL.
For your better understanding, the URL in community.example.com is like after clicking login:
https://www.community.example.com/login/XXXX/XXX/tokenx=xx?UL=Value
When I change the URL, it redirects to the site that I have given, for example:
https://www.community.example.com/login/XXXX/XXX/tokenx=xx?UL=google.com
It is redirecting to google.com, and initially, I thought it was a significant open redirection, but I wanted to dig more. After a few minutes, I realized that if that is possible, it is using SSO and also redirecting, and I got the bulb on. So, it is giving that SSO token to the redirected site. Then, to confirm my suspicion, I just set up my server and used that URL in the UL, and to my confirmation, I got the request with the token values which are fetched from example.com. Boom, it’s an authentication token leak, and I can log in using that token in several example.com applications.
My eyes glowed like anything, and I prepared a report and reported it in the next two hours. By this time, it was already 1 o’clock in the morning on the third day, and I slept peacefully. The next day, I got acknowledged, and within a week, I received my bounty $$$.
I hope you enjoyed it. Happy hacking!!!!
I
