Listen to this Post
A few months ago, I was testing a private bug bounty program with a really broad scope. While looking at one of their main websites, I noticed it was loading libraries/scripts from a 3rd party domain. After further checking, I found that the domain was managed by a 3rd party development company that was working for them.
Since the scope was broad enough, I did a subdomain enumeration on that 3rd party domain. I quickly noticed a subdomain that seemed like hosting an admin panel for an ecommerce website belonging to the main company (something like companyadmin.domain[.]com).
The subdomain showed a login panel. I reviewed the source code/JavaScript and didn’t find any endpoints. But, I noticed that after a correct login, the website would redirect the user to “/panel”. I tried to access “/panel” directly and found that the website was loading the frontend and then redirecting me back to the login page. Probably because it was checking if I was authenticated at the end of the code (don’t do that!).
This allowed me to examine the HTML/JS code that the “/panel” page loaded before redirecting me to the login page, and I was able to extract a large list of endpoints through JavaScript analysis.
At that point, it was pretty straightforward:
- I tested all the endpoints; the server responded with an “unauthenticated” error for all of them except one.
- After further checking the endpoint that didn’t return an “unauthenticated” error, I noticed that it also included a token in its response.
- Wait… Was that endpoint providing me with a valid token?
- Yes, I added it to the headers, rechecked access to “/panel”, and now I had full access to the admin panel.
I reported it, and they accepted it even though it was hosted on a 3rd party subdomain, because it was an admin panel providing control over one of their main websites. But the bounty ended up being €250, and they downgraded it from Critical to High, mostly because it was managed by a 3rd party.
You Should Know:
1. Subdomain Enumeration:
- Use tools like
Sublist3r,Amass, or `Assetfinder` to enumerate subdomains.sublist3r -d example.com amass enum -d example.com assetfinder --subs-only example.com
2. JavaScript Analysis:
- Use browser developer tools (F12) to inspect JavaScript files.
- Tools like `Burp Suite` or `ZAP` can help intercept and analyze network requests.
burpsuite zaproxy
3. Endpoint Testing:
- Use `curl` or `Postman` to test endpoints.
curl -X GET http://example.com/panel curl -X POST http://example.com/endpoint -H "Authorization: Bearer <token>"
4. Token Extraction:
- Use `jq` to parse JSON responses and extract tokens.
curl http://example.com/endpoint | jq '.token'
5. Header Manipulation:
- Add tokens to headers using
curl.curl -X GET http://example.com/panel -H "Authorization: Bearer <token>"
What Undercode Say:
This article highlights the importance of thorough reconnaissance and persistence in bug bounty hunting. Even when faced with a simple login panel, digging deeper into the source code and testing all possible endpoints can lead to significant discoveries. Tools like Sublist3r, Burp Suite, and `curl` are essential for any cybersecurity enthusiast. Always remember to manage your expectations and understand the scope of the program to avoid burnout. Happy hunting!
Relevant URLs:
References:
Reported By: Martinmarting How – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅



