Fuzzing is always fun..!!

3 months ago 29

Hello Everyone,

My name is pulla karthik Srivastav (security researcher) from Hyderabad. I am so excited as this is my fourth write up on vulnerability assessment of web apps. I was searching for a vulnerability disclosure program using the bug bounty dork:

responsible disclosure r=h:com

Paste the google dork in browser from that I have selected a vulnerability disclosure program.

Lets start,

Bug type: Fuzzing leads to broken access control

Initially, let us assume the target domain as target.com and the scope of Vulnerability disclosure program is *.target.com. I have started the subdomain enumeration of the target using mentioned tools

Please Visit the below link for subdomain enumeration recon:

Tools required for fuzzing:

dirsearch

go buster

ffuf

After collecting all the subdomains I have started fuzzing on each and every subdomain using the above tools.

command for dirsearch:

python3 dirsearch.py -u https://****.target.com/ -r .*

r .* — used for recursive calls of wordlists-u — selecting the target

command for go buster:

gobuster dir -u https://target.com/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x .php,.html,.txt -t 200 2> /dev/null

okay let me explain u the command by dividing it

-w — selecting the worlistsdir — directory-x — it used to add the extensions to the wordlists-t — Number of concurrent threads2> /dev/null — used to avoid the errors

command for ffuf:

./ffuf -w /home/kali/Documents/common.txt -u https://target.com/FUZZ

Note: Don’t relay on single tool use multiple tools for better results.

After using this I found a unique sensitive file in target.

Vulnerable url :

https://se-****.target.com/.htaccess

Little bit about htaccess file: .htaccess file is a powerful website file that controls high-level configuration of your website, the .htaccess file allows you to make changes to your website’s configuration without having to edit server configuration files.

Impact:

.htaccess files are configuration files for the web server that can be used to override certain server configuration options on a per-directory basis using a human readable file. If their contents are exposed, attackers can gain valuable insight into your server configuration and may read sensitive data that can aid them in further attacks.

Solution:

Make sure that admin .htaccess files are not readable when you directly access them via your web browser. If possible try to apply the configuration options within the virtual host configuration file and deactivate the possibility of using .htaccess files. This will not only enhance performance Additionally it is more secure and helps to avoid situations where an attacker can upload their own .htaccess file to the server.

Ethically Reported and the program accepted the bug and rated the severity as low .

Thanks for Reading.

Happy Hacking!!

Read Entire Article