My First Verified Bug Bounty: Unmasking Flaws in University Web Apps

Hi, my name is Impeony! Welcome to my very first writeup on Medium.

Over a span of several days in late April 2024, I embarked on an expedition to uncover hidden vulnerabilities within a university’s web applications, having obtained permission from them beforehand. This narrative recounts the tools and techniques I employed, the vulnerabilities I unearthed, and the measures we undertook to address these gaps in our defenses.

The adventure started with the deployment of Subfinder, a tool adept at sniffing out subdomains within our university’s vast digital landscape. This initial sweep was crucial, setting the stage for the deeper exploration that was to follow. With a list of subdomains in hand, such as directory.redacted.com, wireless.redacted.com, and ipcom.redacted.com, I turned to a handy Chrome plugin named ‘Open Multiple URLs’. This tool allowed me to methodically access each subdomain, sifting through them with an eye for anomalies.

As I ventured through these digital gateways, I stumbled upon several search boxes and login forms. These common elements, usually innocuous, were about to reveal their darker sides.

One of the first vulnerabilities I encountered was a Reflected Cross-Site Scripting (XSS) flaw in the search bar on directory.redacted.com. By simply injecting a script <img src="x" onerror="alert(document.cookie)">, I could execute arbitrary JavaScript, a gateway to potentially accessing user cookies or impersonating users.

Further exploration brought me to wireless.redacted.com, where a SQL Injection in the login form allowed me to gain administrative access without a password. Here, ‘admin’ or ‘1=1 — -’ was all it took to bypass authentication, laying bare the lack of stringent input validation.

As my journey continued, similar XSS vulnerabilities surfaced in other domains, such as ipcom.redacted.com and kimpsi.redacted.com. Each instance was a stark reminder of the pervasive nature of these flaws.

Perhaps the most disconcerting discovery was a Stored XSS on libpps.redacted.com. Here, the payload <script>alert(document.cookie)</script> persisted on the server, endangering every user who visited the compromised page.

Lastly, an intricate SQL Injection challenge awaited at rekapmonev.redacted.com. Utilizing Burp Suite, I manipulated parameters and observed database errors, a clear sign of vulnerability. Although a web application firewall thwarted further exploitation, the evidence was undeniable.

Identifying these vulnerabilities was only the first step; addressing them was paramount. Immediate corrective actions included patching the vulnerabilities, enhancing input validation, and fortifying security configurations to stave off similar attacks. We instituted a regimen of continuous developer education and periodic security audits to uphold our defenses.

Several days after submitting my detailed report, IT support responded, evaluating the vulnerabilities’ impacts — some were deemed low, others high. The university acknowledged the significance of these findings by promising me certification and compensation for my efforts. This gesture not only recognized my work but also emphasized the institution’s commitment to cybersecurity.

This journey through the digital underbelly of the university’s network was both enlightening and a bit daunting. It underscored the relentless vigilance required to protect digital assets in an ever-evolving threat landscape. By sharing this story, I hope to inspire others in the cybersecurity community to embark on their own assessments, armed with the knowledge that the path to security is a perpetual expedition.

Thank you for reading, and be good people!