Easiest Critical Bug triaged on HackerOne
Greetings awesome Hackers. I’m Sahil Dari and this is my first blog on my first easiest Critical report triaged on HackerOne. I don’t need to tell that how much impact it can produce if a malicious user gains admin level access to a website. So let’s start with WriteUp.
I was finding responsible disclosures on google via google dorks inurl:responsible-disclosure and site:report.*.com and got one private program on HackerOne via this technique. Lets consider the target as website.com for simplicity. It had a giant scope for main website and included some of its different acquisitions.
I started with the program, and started finding the subdomains f the main website using some famous subdomain enumeration tools Findomain, Subfinder and Assetfinder integrated in one tool or script you can say developed by me and my team BwithHacker. You can check out this tool here.
./subdomain-enum.sh website.com
Now we have list of all subdomains in domains.txt file and all the alive subdomains are listed under alive.txt
After having the subdomains listed, I started finding the parameters with Paramspider.
python3 paramspider.py -d website.com
The output from paramspider got my attention with having https://subdomain.website.com/login?returnURL=FUZZ
So, I went for the subdomain with the parameter to find and exploit for Open Redirection, XSS and help me chain to the critical bugs. Tried with the open redirection payloads, and XSS payloads but nothing happened then tried to login with admin:admin, and VOILA!! I got logged in with admin privileges. So with admin privileges I can add, delete update and read the users data on the website.
And then successfully reported ethically to program and the report got triaged.
Thank you guys for reading. I will create more blogs soon. So stay tuned. Till then you can follow me on Twitter, LinkedIn and Github
