BOOK THIS SPACE FOR AD
ARTICLE ADHii everyone,
I am Mohd Hasan Ansari (Jerry1319) from Nepal. An Independent Security Researcher .
If you found any spell error. Let it be….. Lets start
After a long break and burnout , I started to give a change to a private program on bugv but unfortunately only the main domain is in-scope, Let’s assume the domain as domain.com/*.
I quickly started doing some basic recons on the target via google dorking and github dorking but for my bad i didn’t get anything juicy related to the target which is able to be reported as a security issue .
But after completing these all when i didn’t get anything i run waybackurls on the main domain to get the indexes endpoints .
echo “domain.com” | waybackurls | tee -a wayback.txt
After running the waybackurls i opened the domain on the browser to check the build in technologies and functions available on the target to test.
For my Surprise I also don’t get anything interesting in the technology buildin but while playing with the functions i got to know that the domain is using the shopify sdk, then after that i quickly checked the wayback data and starts looking for parameters as in previously once i found SSRF via the 3rd party sdk .
While playing with the wayback data, i got to an endpoint as https://domain.com/shop?auth=undefined , i quickly changed the undefined as evil.com and surprisingly the site got redirected to evil.com .
I Tried to find SSRF via the endpoint /shop?auth= but unfortunately due to some internal protection the site is blocking me to do it . After trying for 2 3 hours i left it as it is and reported it as a open redirection issue .
After couple of days the program team triage the report and after a month they rewarded me with $$$ Bounty .
After that whenever i see shopify or its sdk using on the domain i will always check for the shop?auth= endpoint .
That’s all for today write-up.
Thanks for Reading
Signing Out Jerry1319