Using XAMPP and Burp Intruder when scanning for subdomains to look for interesting behaviour & code

  • Scraped for subdomains using basic tools
  • Ran these through burp intruder to check results and mass grep for certain keywords (“url:” for example to look for any potential ajax requests. “xmlhttprequest”, “POST” etc.)
  • Found an interesting domain which made use of ajax requests, saw after it had authenticated it would redirect to /dashboard
  • Visited /dashboard and was automatically redirected but noticed it was simply a META refresh and the contents had actually loaded as well.
  • Browsed the contents loaded (view-source:) and saw even more javascript code making requests to an appspot.com domain which took a users ID as a parameter. What does this do..?
  • Attempted to query this endpoint and discovered I could reveal information on any user fully unauthenticated using the encrypted ID it responded with on another endpoint on a separate subdomain.

Take aways

Just because a page redirects, find out how & why. Is it because you are not authenticated?Does it load via 302 header, or is it redirecting via some javascript/meta refresh? If so, is there anything of interest in the code the page is redirecting away from?

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Sean (zseano)

Sean (zseano)

UK WebApp Security Researcher. Creator of BugBountyHunter— designed to help people learn and get involved with hacking. zseano.com & bugbountyhunter.com