Does Out-Of-Scope Matters ? A Story Of How I Made $100.

3 years ago 145
BOOK THIS SPACE FOR AD
ARTICLE AD

Mukund Bhuva

$ whoami

Hello i’m a Security Researcher Mukund Bhuva aka ShellSpider, also play like to play CTFs like Hackthebox (1st Rank in India) anyways, lets dive into “Good Stuff”.

%00

TL;DR

We all know that XSS is a very simple bug to find, but also we know that “Simple XSS”s are already reported. So, we have to deep dive to enum and parsing payloads, but its booooooring af. And we don’t do it here.

Literally

The Company don’t want to disclose there name so i’ll refer is as redacted.com.

I personally like subfinder. So I started fuzzing subdomains and a whole lot of subdomains are there so I have to filter the working once. For that I use httprobe (TomNomNom is really great at this).

cat subfinder -d redacted.com | sort -u >> sub.domains.redacted.txtcat sub.domains.redacted.txt | httprobe | anew working-subdomain.txt

Now I have a list of working subdomains but the RVDP clearly specify that the *.redacted.com is out-of-scope.

I’ll get back there later ; let’s continue with exploit.

I find some interesting subdomains like boutique-gateway119.redacted.com. So I go straight down to Footer its copyrights are 2018. So the site is pretty old so it will be dame vulnerable.

I find a Search Functionally so i tried some basic fuzzing and find a classic XSS right there.

So instantly go to respective Responsible Disclosure Management Program and reported it.

But here is the twist and the point you all are waiting to be revealed the answer of :

“ How the freak I get paid from a out-of-scope asset ? ”

So, here is the deal OUT-OF-SCOPE doesn't matter, the only thing that matter is Data Security Capital D; Capital S; when I execute javascript:alert(document.domain + document.cookie); I found that this subdomain is leaking the cookies of account.redacted.com so it is harming the privacy of actual user. Even it is out-of-scope is; it is still exploitable and steal accounts.

And Most Importantly, people (Hackers) always focused on the vulnerability rather then impact and severity of bug.

So, If you find a little bug on a out-of-scope asset, try to exploit and enumerate sensitive data.

I specify that in the Report even it is out-of-scope asset it is leaking user data.

And a good thing is usually hunters always run-away from out-of-scope so that there is less competition.

I can’t show any POC or Images; Policies 😕.

Thanks For Reading✌️. Keep Hunting 😇.

👏

Read Entire Article