.png)
1 month ago
36 BOOK THIS SPACE FOR AD
ARTICLE AD
Hello, everyone! 👋
I’m Dhananjay Pathak, a passionate security researcher, and today, I’m excited to share a recent vulnerability I discovered in a public program related to Information Disclosure or Sensitive Data Exposure. In this blog post, I’ll walk you through the entire process I used to uncover exposed Sensitive Authentication Credentials.
Vulnerability Summary: While looking at the target application’s JavaScript file, I found a URL that included the App_ID and App_Key parameters. By accessing this URL, a JSON file was downloaded, which contained sensitive information related to the target.
Let’s dive into the step-by-step process of how I discovered this vulnerability!
For the sake of this example, let’s assume the target is www.target.com.
The first step is to find all possible subdomains associated with the target. I recommend using multiple tools for subdomain enumeration to ensure comprehensive coverage.
Here are the tools I used:
sublist3r -d target.com -v -o ~/target/sublister_subdomains.txtsubfinder -d target.com -o ~/target/subfinder_subdomains.txt
amass enum -passive -norecursive -noalts -d target.com -o ~/target/amass_subdomains.txt
To avoid duplicates and consolidate all the subdomains into one file, we can merge and sort the results.
cat ~/target/subfinder_subdomains.txt ~/target/sublister_subdomains.txt ~/target/amass_subdomains.txt | anew ~/target/all_subdomains.txtOnce we have the subdomains, it’s time to check which ones are actually alive and responding. For this, I used HTTPX, a tool designed to filter live subdomains efficiently.
httpx -l ~/target/all_subdomains.txt -o ~/target/live_subdomains.txtNow that we have the live subdomains, we need to find all possible endpoints.
waybackurls ~/target/live_subdomains.txt > ~/target/waybackurls.txtNow that we’ve identified live subdomains and started finding endpoints, the next step is to gather all JavaScript files.
cat ~/target/waybackurls.txt | grep "\.js$" > ~/target/javascriptt.txtNow that we have all the JavaScript files listed in javascript.txt, we can use a tool like Mantra to automatically extract interesting information, such as sensitive data, API keys, secrets, endpoints, or other security-relevant content from these files.
cat ~/target/waybackurls.txt | mantraAfter running Mantra on the collected JavaScript files, I discovered that one of the .js files contained keywords app_id and app_key with their corresponding values. Upon analyzing this JavaScript file further, I identified a URL within the script that included these parameters:
When I opened the URL in a new browser tab, a JSON file was downloaded. After reviewing the contents of the JSON file, I found that it exposed private information, including: Participant details , Event data , Other sensitive information related to the target.
After submitting the report on HackerOne, detailing the exposed app_id and app_key in a JavaScript file and the sensitive data accessible through a URL, the report was reviewed. A few days later, it was successfully triaged, confirming the issue as a valid vulnerability due to the exposure of private information.
If you enjoyed this write-up and found it useful, don’t forget to follow me on Twitter! You can reach out to me anytime; just drop me a DM. 😊
Thanks for reading! 🙌 Stay safe, and keep hacking ethically! 💻
Bengali (Bangladesh) · 
English (United States) ·