A few months ago, I found a web security program through my friend, who is a co-founder of a company. They connected me with the team because the CEO suspected that some data had somehow leaked. They even had proof involving a specific person.
At first, I started testing the website, but I did not perform deep reconnaissance. Later, I restarted the process properly.
Recon Process
- I used Subfinder to discover subdomains. It found more than 250 subdomains.
subfinder -d website.comI saved all the subdomains into a text file.
Then, I used httpx to check the status codes and titles of the subdomains.
httpx -status-code -title -l website.txtAfter that, I collected all the valid domains and stored them in a file named:
httpx-subdomain.txtNext, I used waybackurls to gather old and hidden endpoints from the valid subdomains.
waybackurls < httpx-subdomain.txtIt returned many additional URLs and endpoints. I again verified them with httpx, and the results looked promising.
Finding the Vulnerability
- After collecting the subdomains, I manually visited many webpages, but initially, I could not find anything important.
After spending around 30 minutes testing, I discovered a parameter like:
?filename=I had not noticed it before.
I tested the parameter with different payloads, and some commands were executed successfully. Through this, I found sensitive files and data, including information that had been uploaded just the day before.
I immediately reported the issue to the backend engineer, explained the vulnerability, and showed the proof of concept. The engineer fixed the code, and the CEO thanked me for identifying the problem.