“How Companies Need to Widen There Scopes”

Hi all just call me Amnotacat ”seriously Amnotacat ”.

I sometimes come across big companies that only focus on some areas of there company and forget the rest which is a huge issue that I have come across in Bug Bounty programs because companies specifically big ones forget that one domain that they probably forgot about or simply do not care for can create the most headaches Shall we.

Running fairly low subdomain enumeration “subfinder -d company.com -silent | httpx -probe -status-code -silent | grep -e “200” -e “301” -e “302”.

I came across a domain example.com with just a login screen .

Ran waybackurls by tomnomnom “https://github.com/tomnomnom/waybackurls” I use waybackurls quite alot in my subdomain enumeration process “waybackurls example.com”.

Now when I ran waybackurls I saw an endpoint that right away caught my attention /javax.faces.resource/ this endpoint screamed at me CVE-2017–1000486 which allows for remote code execution and by looking at the domain it looked promising but I have experience with this issue and have come across this issue through out the years before i was doing Bug Bounties so I already knew how to exploit the issue and PIMPS “https://github.com/pimps/CVE-1000486" has a great exploit for this issue.

When running the exploit and running “cmd=uname” I got the response I was hoping for “Linux” I then automatically tried to fetch the aws keys and to my surprise I was able to hit “http://169.254.169.254/" using a simple curl command.

After fetching the access-keys I stopped testing and reported the issue right away.

Now your asking yourself about the title yes the title the issue here was that this domain was not listed in-scope but it was not necessarily out of scope let me explain.i had previously asked the company how do I report an issue to a domain that is not in scope and got a very friendly response from the company.

This made me happy I love a big scope but love more a company that “ACTUALLY” cares about there security.Now the issue here is that more companies are not doing this because this domain was probably forgotten about or it was not a priority which I see time and time again from big companies they focus only on some domains but forget that the domain that they are not seeing as important can really wreck havoc on an organization.Now i always understand that some domains an organization does not want to be tested which is more than understandable but when a company black lists every domain out of scope then to us as hackers it tells us that there is something bigger then trying to let us hackers secure your company.

After reporting the remote code execution the company added the domain to out of scope which made me think does the company care about security?of course they do this is not a question if they do or not is the fact that there has to be something bigger here that made the company make these changes which i honestly do not understand and credit the company they actually paid me something for the remote code execution among other issues i also submitted because most companies do not pay at all no matter if you can drop a shell inside there infrastructure.

I read a lot of bug bounty write ups and love the community but i don't see enough write ups about the bug bounty politics which i honestly hate i really hope something changes i did not even want to do this write up at all but hopefully this brings some changes and i also wanted to share one finding for the community as i have learned so much from it.

Thank you for reading.