How I Disclosed Employees PII | The mistake I made..|

Radhe Krishna.

Hello Enthusiastic Bug bounty Hunters!!! Its been a several month since I uploaded my last write-up.

Today I will explain how I found a sub-domain which was disclosing employees PII basically. You will get to know what I’m talking about.

Tools Required:

Asset-finder

Sub-finder

Httprobe

Aquatone

DirSearch (I used default word lists in this)

I got tired by searching programs on famous platforms so I thought to go for self_hosted programs lets say it as redacted.com.All sub-domains were in scope but I didn’t read the policy correctly (I will explain later).

As Usual I searched all the subdomains and used httprobe to filter out live domains (found nearly 200) and stored it to .txt file. I used aquatone tool to take all the screenshots.I manually went through all the screenshots and separated all the 2xx,4xx,3xx, mainly (401,403,404) in cherry tree. At first I took all the 404 sub-domains and send it to dirsearch for fuzzing. I found some of the login pages behind the 404. I went through all the login pages,found nothing much interesting.It took me 2 days for all this process.

The next day while going through all the screenshots,this time I collected all the 403 and 401’s sub-domains (not all the 401 and 403 but the sub-domains which showed forbidden only to certain keywords for example “admin.redacted.com/admin” showed 403 or 401 but “admin.redacted.com/man” showed 404 not found (which is interesting)) and send it to dirsearch. after a while I found a sub-domains called “https://beta.redacted.com/form/dashboard” with 200 OK.

In This I was able to perform all sort of actions like adding,deleting,updating etc.I spent nearly 5 hours to find this one.

I reported the bug after 5 days I got mail from the team saying that it was out of scope. Actually the thing was I did not read the policy properly and the bug I reported was on testing/UAT and this was under pre-released version so it was not eligible for bounty reward.