Ctrl + U to Bounty: How I Found Sensitive Info in the Source Code

بسم الله الرحمن الرحيم

Hello everyone!

today, we’ll discuss a simple information disclosure bug I found in a private HackerOne program. Let’s dive in! .

The bug involved an information disclosure vulnerability within the admin portal that exposed the admin guide and its sensitive content.

Recon process :

i choose site like *.target.com i then utilized Subfinder with an API key to identify subdomains.

Additionally , I used Google Dorks like site:*.target.com -www to uncover subdomains not included in the main website. This approach led me to a subdomain like corporate-admin.target.com.

Intrigued by this subdomain, I accessed the site and examined the source code using the keyboard shortcut Ctrl + U. While inspecting the JavaScript files, I discovered a link pointing towards a Google Doc presentation.

Curious ,
opened the link to explore its content and validity. To my surprise, it turned out to be the admin guide containing sensitive information like valid voucher codes, admin emails, usernames, and internal environment details.

Upon discovering this vulnerability, I promptly reported it to the program. Fortunately, the report was accepted, and I was rewarded with a bounty for my efforts. Interestingly, the entire process, from selecting the target to finding the bug, took only around 10 minutes.

To rectify this issue, the recommended either remove the document file entirely from the HTML page or restrict access to the document by implementing authorization checks to ensure only authorized personnel can view it.

Always make a habit of examining the source code of websites. Valuable information might be hidden within the code, such as developer comments that could potentially aid in crafting an attack or gaining a better understanding of the website’s functionality.

Thank you for reading. If you have any questions , feel free to ping me on X , or LinkedIn.