An easy bounty using fuzzing

6 months ago 38
BOOK THIS SPACE FOR AD
ARTICLE AD

Ahmed Tarek

Hello,

it is me again, Ahmed Tarek :)

Today I would like to share with about a simple but effective discovery I made using fuzzing. so, So let’s get started! 😉

So I was testing the target let say target.com . On one of the subdomain I saw a default SMS Service page that they were using. That got me thinking: what if I fuzz for endpoints?

I fuzz the subdomain with FFuF using this seclist

Ffuf is a web fuzzing tool written in the Go language which is very fast and recursive in nature. It works similar to Wfuzz but in contrast it is recursive. Ffuf also works by replacing the x` with worldlist values.

the command was

$ ffuf -w fuzz.txt -u https://sms-express.target.com/fuzz.txt -mc 200 -ac -recursion

I got one of the endpoint’s status code 200 and the endpoint was .gitignore.swp.

I open the url in browser with the endpoint https://sms-express.target.com/.gitignore.swp and one file was downloaded.
Inside were paths to more sensitive directories.

I immediately reported the bug and got $30 bounty

Thanks for reading!

you can follow me on social media to see more Write-Ups

Facebook

linkedin

Read Entire Article