Here's a #bugbountytip

(1/n)

Overview:
On a bug bounty program, I was able to access internal dashboard of an e-commerce website and see what users have ordered along with their addresses and could also manipulate order status.

The dashboard was running on a custom port.
(2/n)

Approach:

1. The scope of the program was *.target.com.
2. Collected many subdomains using different tools, and then checked for alive subdomains using httpx.
3. Visited all collected subdomains manually, none of them seemed interesting. So I moved forward with testing.
(3/n)

4. So I looked for more ways on how to find assets related to any domain and came across technique known as favicon hashing. I didn't knew about this so I searched for it on google and read few articles on it.

Resources

medium.com/@Asm0d3us/weap…

(4/n)

Tool used:

After reading the articles I got to learn that using a simple python script we can automate this task of collecting favicon hashes. So I used this tool by @ManiarViral

github.com/Viralmaniar/Mu…
(5/n)

Results:

1. After collecting the favicon hash for target[.]com, I opened @shodanhq.
2. And searched for http.favicon.hash:TARGET_FAVICON_HASH_HERE
3. Got so many results on shodan.io
4. Manually visited all of the results.
5. Not all hosts were working.
(6/n)

...

6. Tried to filter results by adding some other shodan queries to the result.
7. After digging for a while got a host that was running on a custom port.
8. On visiting the host got direct access to internal dashboard.

...
(7/n)

9. Sellers email addresses, logs, order history, user's personal details like name, addresses all were leaking on the dashboard. I could also manipulate order status.

Here's a screenshot:
(8/8)

So that's all about the finding that I reported a few months back.

Will try to post about my findings more often now.
Hope this thread helps you in your bug hunting journey.

Have a great day everyone.

#bugbountytip #bugbountytips #bugbounty #infosec

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with Kushagra Sarathe

Kushagra Sarathe Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

Did Thread Reader help you today?

Support us! We are indie developers!


This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Don't want to be a Premium member but still want to support us?

Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal

Or Donate anonymously using crypto!

Ethereum

0xfe58350B80634f60Fa6Dc149a72b4DFbc17D341E copy

Bitcoin

3ATGMxNzCUFzxpMCHL5sWSt4DVtS8UqXpi copy

Thank you for your support!

Follow Us on Twitter!

:(