How I Found 3 Bugs in a Single Day

In this write-up, I will share my journey of discovering my first high-severity bug and making it to the Hall of Fame (HOF). I’ll take you through the entire process, from selecting a target to reporting an IDOR vulnerability. So, let’s dive in!

If you didn’t read my previous writeup then you missing lot because I have covered what is IDOR vulnerability, In which I have cover some common endpoint where you look for IDOR vulnerability and also I put my GitHub link which contain almost all about IDOR. Why I am saying that? So, It contains 50+ POC videos of YouTube, medium articles, hackerone hectivity, bypassing methods and lot go and learn from them. This is the link:-https://medium.com/@dsmodi484/finding-idor-vulnerabilities-key-endpoints-and-resources-b9b4084edf34

After choosing target, I finally started hunting on 13/06/24 Thursday. First I move on the application and make an accounts and understand all the features of the application and this took almost my 2 Days because I have exam on upcoming days. After that I try to break this functionality on the main domain which vulnerabilities I know very well, remember still I don’t do recon. After examining the main domain I cannot find any interesting bug. It is kind of Z level security for me😐. Yahh not joking. Let me tell you which vulnerabilities I tried:-
1. No Rate limit => But they handle it very well so no luck
2. No CSRF => Bcz they have very secure csrf tokens
3. No IDOR => They uses Authorization Bearer token so no chance, Yes I tried but not work.
4. During testing I found admin panel but after successful login, the webpage show that if you want to access the admin page then send mail to abc@mail.com. So no luck😫
5. Testing on forget password and login functionality but as always not find anything.

and yes during this all I also do recon but I don’t focus on recon so much but this was my mistake. So after not finding any thing, In Monday morning, I told one of my friend that I am not able to find any bug in this website I tested all thing as I can. And after some time he message me:- Try on different subdomains and I thought that I forget that I have find 4 subdomains basically It was only 2 😶 No sorry only 1🤐. How? I will explain you further. And after his advice I started looking on subdomains and one of the subdomain is vulnerable and I found 3 bugs on that within the end of Monday and I report it.

So let’s deep dive into it,

I am not allow to disclose the company name so I call it as redacted.com. So after doing recon using common methods I have found 4 subdomains which are something like this:

Now, Why I told that there is only 1 subdomain because www.redacted.com is same as redacted.com, link.redacted.com and mercury.redacted.com are not opening. So only one subdomain left which is blog.redacted.com.

As name suggest blog.redacted.com there are lots of blogs and we can comment to any blog as a guest. Now I comment one blog and after comment there are 3 functionality copy link, edit, delete. So I try to delete the comment and during this I turn on my intercept and the request looks something like this:

There is a commentId = encoded string, So now what I though that can I delete other users comment may be? because there is a authorization token but I tried. I comment from my different account then I copy the link of that comment and see that the link looks like this:

Then I quickly copy the commentId of different user and paste it in the burpsuite and forward and Yes It worked😲. I was surprised because it was not actually validating the authorization token. And then I quickly report this vulnerability and It was triaged as HIGH and HOF🎉.

2nd bug,

Bug : No rate limit on otp verification

In this bug the attacker can send unlimited request to the any email. I send it almost 200 times while testing you can clearly see below:

So what an attacker can achieve from this? It can lead to bypass otp verification process or DOS attack as the email server becomes overwhelmed with requests, or an attacker could use this vulnerability to brute-force the account or perform a password reset.

But sadly they closed is NA because they told me to bypass the otp verification and when I again visit that endpoint there is no otp verification page I was surprised how this is possible😑 because yesterday I send 190 request to me and today there is no page so I quickly reply back to security team but they said that they are working on this page so after that they closed as NA😕.

3rd Bug,

IT is also no rate limit bug. In which I can send unlimited comment. This bug is also on the blog.redacted.com. Yes, I know there is not so much impact of this bug it can only slow down of server due to large number of comments in the post. For the poc purpose I post 200 request and to show the impact I also include the hackerone hacktivity report but they closed as informative.

Hacker one report which I attached in poc:- https://hackerone.com/reports/1202408

So, yahh this are the 3 bugs which I have find within the end of day. I reported all the bugs and the next day the security team quickly response and they triaged one bug as HIGH because of it is IDOR.

This journey has taught me that hard work doesn’t always pay off immediately, but perseverance and dedication eventually lead to success. 💪

That’s all for today! I hope you found this write-up informative. If you have any questions, feel free to reach out. Your support motivates me to create more content, so please give this a clap if you enjoyed it and follow me for more updates.

Follow me:- https://linktr.ee/dishantmodi

#BugBounty #Cybersecurity #EthicalHacking #VulnerabilityResearch #InfoSec #WebSecurity #HackerCommunity #LearningJourney #BugHuntingTips #BugHuntingMethodology #IDOR #VAPT #noratelimit #3bugs #journey #bugfindings #VDP #HIGH #IDOR #otpverification