.png)
2 hours ago
5 BOOK THIS SPACE FOR AD
ARTICLE AD
About Me
Hello, fellow bug hunters and aspiring security researchers! 🌟 I’m hackxb12 (Bhautik Patel), a Security Researcher & bug hunter with a passion for uncovering vulnerabilities. In this post, I’ll be sharing how I got an Appreciation Letter from NASA — a moment that solidified my journey in the world of cybersecurity. I hope my story inspires others to explore ethical hacking and contribute to a safer digital world.
Let’s get started,
Description:
Let’s assume the vulnerable domain is abc.com and the endpoint is /xyz. During my reconnaissance of abc.com, I found the /xyz endpoint. Initially, when I tried to access this endpoint, I received a 403 Forbidden error, which indicated that the resource was restricted.
However, upon further exploration, I discovered a .zip file associated with the same endpoint. When I accessed this .zip file and extracted its contents, I was able to access the entire directory for the /xyz endpoint.
Steps To Reproduce:
Use any subdomain enumeration tool to identify subdomains of the target domain. In my case i have used subfinder.subfinder -d target.com -all -recursive > subdomain.txt2. Once the enumeration is complete, you will have a list of subdomains. The next step is to fetch live subdomains from this list.
cat subdomain.txt | httpx -ports 80,443,8080,8000,8888 -threads 200 > subdomains_alive.txt3. After identifying the live subdomains, use endpoint enumeration tools (such as Katana, WaybackURLs, or others) to gather endpoints for each subdomain.
cat subdomains_alive.txt | waybackurls | tee allurls.txt4. Let’s fetch all JavaScript file endpoints.
cat allurls.txt | grep -E '\.js$' >> js.txt5. During this process, I discovered an endpoint: /xyz/file.js.
6. When trying to access the /xyz/file.js endpoint, I encountered a 403 Forbidden error.
7. In response to this, I decided to enumerate additional file types — .zip, .rar, .tar, and .gz — as these file formats could potentially contain hidden resources or sensitive data.
grep -E "\.(zip|rar|tar|gz)$" allurls.txt > filtered_files.txt8. While inspecting the filtered URLs, I found a .zip file that had the same directory name as the previously discovered /xyz endpoint.
9. After visiting the .zip file endpoint, I was able to access all the files within the /xyz directory, potentially exposing sensitive information.
Impact:
Unauthorized Access: The ability to access a .zip file containing all files from the /xyz directory indicates a possible lack of proper access control or authentication mechanisms for sensitive directories.Data Exposure: If the ZIP file contains sensitive or private files, this could lead to unauthorized data exposure. The attacker can download, extract, and review these files for further exploitation or analysis.Thanks for reading! If you enjoyed this, follow me for more:
Follow me:
![Unique ways to Recon for Bug Hunters: Short series [Part 1]](https://miro.medium.com/v2/resize:fit:1022/1*R_zUrIEG7iWk-dK2gVOXUg.png)
Bengali (Bangladesh) · 
English (United States) ·