can you even imagine what most people do? they do recon, burst out some payloads and think that's bbh? naahh man, ill show you how a simple recon got me $100

I used shodan for the recon. I put the target in the query and I got various results where one was updated on the same day when I was checking. https://www.shodan.io/search?query=redacted.com

I than went to https://sub.sub.redacted.com and found a page which had literally nothing in it.

then i thought of fuzzing the website, i used dirsearch with the common wordlist.

dirsearch -u https://sub.sub.redacted.com/

i got to see a 403 on /.env which says the file is available but not accessible and when i tried to visit https://sub.sub.redacted.com/.env i got a cloudflare error saying "Sorry, you have been blocked You are unable to access redacted.com"

One Question That Matters

If the WAF blocks me what is it protecting?

A WAF only protects what it sits in front of. If the origin server is exposed the WAF means nothing.

So I went looking for the real server.

Shodan Changed Everything

WAF Bypass in One Step

Accessing the application through the origin IP completely bypassed the WAF. No filters No blocks No warnings

Requesting the .env file returned a clean 200 OK.

The production environment file was exposed.

What Was Leaked

The file contained critical production secrets.

Database credentials Session signing keys Internal API routes

This was more than a file leak. It was a full security control bypass.

Why This Is Serious

An attacker could avoid every WAF rule. No rate limiting No injection filters No detection With valid credentials, backend systems were within reach. This is how small misconfigs turn into big breaches.

reported it and got it fixed quickly with a P2 with $100, not much but not bad i guess.

50 claps if you like it ;) thanks for reading

Watch scan data. Test quickly. Think beyond the front door.

Connect here:

folio: https://swarnimbandekar.github.io/ LinkedIn: https://www.linkedin.com/in/swarnimbandekar/