.png)
2 weeks ago
22 BOOK THIS SPACE FOR AD
ARTICLE AD“سُبْحَانَكَ لا عِلْمَ لَنَا إِلَّا مَا عَلَّمْتَنَا إِنَّكَ أَنْتَ الْعَلِيمُ الْحَكِيمُ”
Hi everyone ,Welcome back to my second writeup about access admin panel via registragtion ,Let’s get into it.
I was doing recon for month and half and got 30 XSS ,I got some root domains one of them I suspected in it ,I tried to get any bugs but nothing .
After some days I get again to same root let’s call it example.com , subdomain of it is ui.dev.example.com ,It always ask me to login for any path I entered or from JS files .
I notice that link is https://ui.dev.example.com/auth/jwt/login
So I change login to register ,It give me some inputs I filled out the form And entered then …
I could get into it with demo user Jane Doe ,Until now It may accept as P4 ,I try to open any input of those like Devices ,Configurations notifications ,etc… nothing ,until I Click on chat
I could read chat may P3 ,But I need more and more Impact ,I get endpoints from JS from nice extension called findsomething
It give me 117 endpoints I try to open them ,but nothing it redirect me to login page but the tap I open with demo still working ,It make me more suspicious
After some testing I get endpoints from JS files then add it to same tab with demo user and open it and BOOM!!
But I could’t open them because I need endpoints and requests to do actions ,so may P2 ,But need more and more….
After some thinking I told triager in comment with that
Due to the lack of authentication on the panel, an attacker could get[Service] v6.1.0 used by site (this information was
gathered from the /pricing page) by purchasing it if it have no free
trail . The attacker would only need to make a request on their
localhost, copy the request, and then execute it on your host within
the same session after registration.
And by this it accepted as P1
I hope it was usefull for you to read it .
This is my twitter account ,fell free to ask…
Bengali (Bangladesh) · 
English (United States) ·