It’s all in the detail: Email leak & Account takeover thanks to WayBackMachine & extensive knowledge about the program

When a researcher spends a lot of time on one bugbounty program the bug impact tends to increase as they gain knowledge around the web assets and how things work & are connected together. (atleast in my experience, if you have spent a lot of time on one program i’d love to hear your thoughts). I strongly believe bugbounties can help companies & researchers form a strong relationship :)

How I generally feel sometimes heh :D

Understanding how your target works

When a lot of people message me,How do I go looking for bugs? Where do I start?” i’ll always tell them: Just simply use the site with BURP running and start learning & playing. I stand by that advice, you simply can’t go wrong and if you’re new to hacking then this should be your first step on a program. As your experience&knowledge grows you’ll start to expand out and start using more tools to discover subdomains, common files, etc. Then in time, you can set your tools running whilst you begin poking. :)

First interesting bug found relating to user id leak

This one didn’t lead to account takeover but did lead to any userid’s email being leaked remotely. If you messaged the user, the URL would look like this:

Where else can it be used?

I’ve mentioned before that I will always use WayBackMachine to scrape a sites /robots.txt file from years ago as you never know what was in there and if any of those files are still on the server. Armed with my results I did a search for anything containing “unsubscribe”. Bingo, “unsubscribe2” found.

But wait….. i’m logged into my other account?

When hunting, write NOTES.

Yes, I wrote Notes in big letters for a reason as it’s another reason why I started BugBountyNotes. I hope to create a platform for users to easily write their notes & thoughts when testing to help yourself, and other researchers, as well as being able to find & share anything bugbounty related.

UK WebApp Security Researcher. Creator of BugBountyHunter— designed to help people learn and get involved with hacking. zseano.com & bugbountyhunter.com

UK WebApp Security Researcher. Creator of BugBountyHunter— designed to help people learn and get involved with hacking. zseano.com & bugbountyhunter.com