How i was able to hack over 10 million websites using BAC : broken access controle .

Hey phenomenal hackers, it’s Zack0x01, and today I’m stoked to share a groundbreaking discovery from my bug bounty escapades. Buckle up as I unfold a riveting tale about a renowned web hosting platform boasting a whopping 10 million websites.

Thanks to divine intervention and a sprinkle of my hacking magic, I unearthed a game-changing broken access control vulnerability, granting me unprecedented access to hack into any website under their domain. The cherry on top? I snagged free domains, web hostings, servers, and even scored free emails. Intrigued? Let’s dive deeper into the technicalities.

Unlike some bug hunters who revel in exhaustive reconnaissance, I opted for a direct approach, delving straight into testing the application’s functionalities. My initial foray involved experimenting with XSS by injecting a meticulously crafted payload

(“‘></textarea></div></script><script>prompt(1)</script><img\src=x onerror=confirm(1)>)

into various inputs — usernames, full names, descriptions, and WHOIS setting records. Unfortunately, my XSS attempts didn’t yield the desired results.

Undeterred, I shifted gears to explore broken access control vulnerabilities. Leveraging the platform’s identity as a web hosting service, I hatched a plan. I procured two domain names — let’s call them domainone.com and domaintwo.com — under different accounts. Here’s where the magic happened.

Utilizing the platform’s AI website builder, I seized the opportunity to change my landing page’s website name to the second account’s domain. But, manual labor wasn’t my style. I enlisted the help of Burp Suite, a trusty companion in the world of hacking. Navigating to the match and replace section, I seamlessly replaced every instance of domainone.com with domaintwo.com, all without breaking a sweat.

With my modified setup, I meticulously crafted my landing page. In the shadows, Burp Suite orchestrated the domain switcheroo. After the page customization dance, I gracefully turned off Burp Suite and ventured into the second account’s domain — domaintwo.com. Brace yourself for the shocker: I not only gained access but took control of the other account’s domain settings. Uploading new pages, tweaking configurations — it was a hacker’s dream come true.

reported on 20/01/2024

triaged same day

bounty on $$$$ 04/02/2024

Thanks for joining me on this adrenaline-pumping bug bounty rollercoaster. Stay tuned for more in-depth write-ups as we continue to unravel the secrets of the hacking realm. Until next time, happy hacking!