How One Bug Scored Me Double Rewards!
Good day!
I hope you are well. As this is my first write-up here, I hope you like it. I’ll get straight into the bugs I found a while ago in a private program at HackerOne. Let’s call it redacted.com :)
The program I am hunting on is resolving any subdomain “anything.redacted.com” to the main website login page “redacted.com/login”, That behavior is new to me so I thought it is kind of useless to use subdomain gathering tools.
I started with a simple Shodan dork:
ssl:redacted.comA lot of results come out until I found an IP address going to the subdomain “z2007.redacted.com” — interesting! You can look at “z2007”; it seems like it is some old forgotten server!
The main website services are like making video sessions and screenshare between others. After searching, I found a test page at “z2007.redacted.com/agv/sampleAgent.html”.
OK. Let us send a request and intercept it. You can see the PUT /offer request body above. I tried to change everything to see the response, and it was the same one response. Except when changing the “groupid” param, there was a little difference in the response; you give the groupid, and the server responds with the group name.
At first, this changing was not interesting for me. But after thinking about the website services and functions, that group name was a new thing I hadn’t seen before. So I reported it as “Information Disclosure [Group Name Manipulation],” and Alhamdulillah, the program accepted it as the group name should not be disclosed without authentication, and I got a bounty of 100$ :)
OK, should we stop here? I don’t think so. As we found a bug at one subdomain, it might be the same bug there on another one! Just visit every possible subdomain and make a PUT request to see the response.
With some Google dorking, I gathered some subdomains and started to send the same PUT /offer request above to each subdomain. Unfortunately, I got nothing, and I stopped here :(
Surely, no, just don’t stop. The bug is there; you just need to search harder. Luckily, I found a subdomain “video.redacted.com” allows the previous PUT requests! After searching, I found that the server accepts three params “groupid, isAnonymous, and a new param called personid.”
Now, access: https://video.redacted.net/offer?groupid=21582&isAnonymous=true&personid=1990018
Intercept the request and change the method to PUT and click forward to see results in the browser. And WOW! A lot of results came out!!
By this, I was able to register a video session for anyone in any group. If you modify the groupid and personid parameters, you will get new session data.
I reported it as “IDOR Leads to Unauthorized Access to Sensitive Users Session Data” and Alhamdulillah, the program accepted it and rewarded me with 200$.
At the end, things didn’t go well with HackerOne support. They banned me from the reward I got because I live in Syria, and so I am not applicable for any rewards due to some US laws.
But it doesn’t matter. Money will come sooner or later. As they say, you are only responsible for the effort, not the outcome.
I hope you enjoyed it; please don’t forget to give it a like :)
Join my telegram channel: anas_hmaidy
Follow me on LinkedIn: anas_hmaidy
Best Regards :)
