.png)
3 days ago
13 BOOK THIS SPACE FOR AD
ARTICLE AD
My name is Ignacio Jose Riva, and I am a full-time Bug Bounty Hunter actively working on Bugcrowd, hunting for all kinds of vulnerabilities.
In this article, I will explain how I was able to bypass the default SSO of a target website by discovering a hidden endpoint.
Fuzzing `https://app.target.com/FUZZ` I could not find anything interesting, so I kept searching with google dorks until I found some path `site:app.target.com`, where I could find the endpoint `/ct_l/login.php` that could login only with SSO and loaded several .js files that caught my attention to search for credentials, endpoints, etc.
Analyzing each js file using de4js I could find the endpoint `/ent_xt_invite_friend.bix` which had the utility through an email parameter to send registration emails to any user.
I went on to test the endpoint with my Bugcrowd email and received an email with a registration link.
Using the link, I was able to register, login as an employee, and access privileged information such as names, addresses, phone numbers, etc. In the end, they decided it was a third-party issue and rewarded me with a lower bounty of $500.
For questions, collaborations, or to learn more about bug bounty hunting, connect with me on:
LinkedIn: https://linkedin.com/in/cyxbugs/Twitter: https://x.com/cyxbugs
Bengali (Bangladesh) · 
English (United States) ·