Start With name of Allah, The Most Gracious and The Most Merciful.
Hello Guys,
This is my first writeup here. Hope you will learn Something good from it .
So i found a bug bounty program example.com (sorry cant disclose the name). so after enumerating all subdomain could not find any vulnerability , i have tried dir fuzzing but it was not helpful at all.
It looks website have implemented high security features and have not consists any misconfiguration (this is most common for bug hunters).
But you can’t believe that if you add /// at the end of any link it will redirect rest of url (common open redirect issue). like if i add /// in following link www.example.com///google.com it will redirect us to google. but the thing is, it couldn't taken as valid vulnerability. so move further, after spend 5–6 hours i got a page which consists some images.
when you open image link it shows the image but if you see the link, it has some parameters such format,version and path. https://example.com/image/format=jpg/path/user/me/image/ib2911b2fd53e21fa/version/1
path sounds positive, so added the /// and the payload url of any image held at other website (at that time i was try to achieve ssrf) but due to same origin policy i failed. https://example.com/image/format=jpg/path///http:/google.com/google.jpg/version/1. at the time i was like….
still some hope??
yup i have added //// instead of /// and than boom it exposed all the userfiles belongs to the relative bucket with id and etag. https://example.com/image/format=jpg/path////http:/google.com/google.jpg/version/1.
Actually the 3 forward slash redirect rest url but if you add 4th forward slash it called its parent directory on which all files available. as i was using the browser i can see the files information in xml format.
Always check all url and request ,try to manipulate it, if existing vulnerability known use it to gain other vulnerabilities.
Thank you for reading