A Simple P2 Bug Via Forced Browsing

Hey there! Myself cyberpro151 and I’m back with another writeup.

In this writeup I’ll share with you guys how I utilized forced browsing to hit a very easy P2. So let’s start with the writeup.

While hunting on one of the sites of a target, I came across an employee portal of URLhttps://redacted.com/employee/login.aspx like following:

As any hunter would do, I tested default credentials, SQL injection and checked the JS files for credentials but no luck. What next?

I utilized google dorking to look for links related to the company and one of them caught my attention that looked like following:

Now this URL was something like following:

https://redacted.com/employee/Documents.aspx

I anticipated that upon visiting this URL, I’ll be redirected to the login page but guess what? Upon clicking this link, even though I wasn’t logged in the portal looked something like following:

Here, I clicked this “More information” and Bingo! All the documents were disclosed as shown in screenshot below:

Now the interface looked something like following:

Upon clicking these documents, I was able to access them and one of them disclosed sensitive information like following:

Similarly, another file disclosed PII of company’s employees.

I reported it and it was marked as P2 as shown in screenshot below:

Tip: Whenever you come across any employee portal, try to use google dorking, waybackurls, gau and other tools used to gather URLs related to a site to find all the links of the internal directories within the employee portal and visit them individually. Else, try to fuzz on the internal directory and see which one is accessible. You never know which directory doesn’t require authentication.

That’s all for this writeup! Thanks for reading. Reach me out on Twitter (X) at @cyberpro151 and at Linkedin at here

Thanks!