How i found my first 318.39$ bugs!

Msecurity BH
6 min readMar 22, 2024

--

السَلآْم عَلْيُكّمٌ وٍرٍحَمُةّ الله وٍبُرٍكآتُه

Hello everyone i hope you are doing great 💖 My name is Mohammed, I am a cybersecurity enthusiast and a CTF Player; In this blog i am going to show you how did i approach to find my first 2 reported vulnerabilities.
Note: this writeup have been written in a simple way.”

1) Vulnerability, Type: Security Misconfiguration

2 ) Vulnerability, Type: Sensitive Information Exposure

Actual Amount: 318.39$
But the Final pay: 140$ > due to the company policy

Time taken: less than 40 minutes

Company: Cannot disclose it. “Well known company”

Before I dive into how I discovered the vulnerabilities, let me explain what led me to start testing for them.

About six months ago, I wanted to learn more about web applications. So, I decided to create my own website from scratch. I believed this hands-on experience would help me understand web apps better and give me a better chance of finding bugs.

I spent several months building an e-commerce site, putting a lot of time and effort into making it work for online shopping. But I struggled with making it look good. Feeling a bit discouraged, I searched online for inspiration and found a really nice website that caught my eye. It seemed well-designed and interesting. Because I’m naturally curious, I decided to take a closer look at it and see if I could find any security issues in it, Boom i noticed the bugs! and worked on writing a report on them, But how? Now i will tell you :)

Let’s Start with the first report which is categorized as Security Misconfiguration.

What is Security Misconfiguration ?
To make it simple, Security Misconfiguration occurs when a device settings is not properly configured like leaving default passwords unchanged which can lead to easy access for anyone.
For more details check: https://owasp.org/Top10/A05_2021-Security_Misconfiguration/

note: i didn't conduct a full bug hunt , i did it really quick for fun.

The first thing that i did is subdomain enumeration, you can find plenty of tools that will do that for you like Sublist3r. Once i got the result i saw that the website let’s call it ABC.ZYX has a subdomain named dev. https://dev.ABC.ZYX/, It seems obvious that dev means developers which gave me a hint that this could be a page specifically for developers of the website only.
The page didn't look different however, I have noticed something at the bottom corner:

it looks like this^

I clicked on that and it showed a debug bar like this which contained lots of information:

This was my first time seeing this so i clicked on all options and tried seeing each different results. One of the intersting options showed a version </>7.4.33 of Laravel PHP framework. In here i just knew the version number and what its called, I didn't look for vulnerabilities/exploits regarding this because as i mentioned my intention is just to discover not to hack anything really.

Another cool option besides this is that it displays logs. The date and time, Method request: GET/POST etc.. + The IP address of the request and filter data that shows the exact URL and all the details of the request.
Filter results allowed me to delete all the made requests.

Still i was just exploring and i have no idea what is it,what it does and is it intended to be shown or not. I decided to spend more time on searching about this debugger, how it works and what it does in addition, i acknowledged that this should not be shown to regular users.

Getting more in details i tried discovering for files https://dev.ABC.ZYX/<discover> and saw /home “https://dev.ABC.ZYX/home”and guess what?….
it lead me to a page where it showed me a full details on the web application, full paths of different php files where its stored in the server and what's inside them in addition, All application frames. To be honest there where a lot of url’s and codes and i didn't much understand what's going on and again as i mentioned i didn't spend more time to get details about it or try to do critical things due that i have no permission and it was random “so it was quick and in general” moreover, i didn't want to dedicate time on it, But i am sure i would find more cool stuff or find more bugs.

This was the first report, of course there are more details but i am trying to point out the main and important things only, if i showed everything it would take hundreds of paragraphs and images.

So thats for the first bug,
Summary: Security misconfiguration Bug found and a user is able to access dev.ABC.ZYX subdomain which gave a Laravel PHP debugger control.
“Unauthorized access to debugging tools and SQL queries as a non-admin user” in addition dev.ABC.ZYX/home directory which displayed a lot of useful and sensitive information of the application/codes.

Going to the second and last bug which is:
* Sensitive Information Exposure/ Hard-coded secrets

This means that credential's or sensitive data is basically stored in the front-end of the application and simply i can view it in the source-code for instance.

Again it’s in the same misconfigured url https://dev.ABC.ZYX/
I viewed the source code and my eye saw this:

The first 10–13min of researching about the 3rd-party service API and how it works it seemed to be normal and not vulnerable to anything until i reached to a part where i need to try how to interact with this service and see what it does. Hopefully i did a curl request and provided the given credential's and i was able to add some records.

Here is the list of things that I can do other than searching and adding records:
Data management: add records using “POST”. Update records using “PUT”. Delete records using “DELETE”. Clear an entire index using the POST method with the clear action.
Index Settings: Get index settings using “get”.Update index settings using ”PUT”. Accessing and managing synonyms, rules, and other settings.

Index Management

Security and Access Control such as updating the API permissions.

User Management and Personalization

Backup and Restore

In addition firebase configurations key were exposed with other tokens.

To summarize it up:
API Key Exposure “I will name the api example: QWE” (QWE_application_id and QWE_admin_key):
Exposing the “”API credentials (QWE_application_id and aQWE_admin_key) can allow unauthorized parties to perform administrative actions on QWE indices. I could potentially manipulate, delete, or extract data, disrupting the integrity and privacy of the indexed content.

That’s all for the simple post, I hope you enjoyed reading it, Don’t forget to like and add a feedback in the comments bellow :)

--

--

Msecurity BH
Msecurity BH

Written by Msecurity BH

Hello there my name is Mohammed ,I am cybersecurity enthusiast&CTF Player. Interested in Penetration testing and bug hunting :) Website: https://msec.bh/

Responses (3)