Discovering a Critical Subdomain Takeover Vulnerability with a Custom Recon Approach

-
As a bug bounty hunter, I'm always looking for ways to improve my recon process to find unique vulnerabilities. Recently, I discovered a critical subdomain takeover vulnerability using a custom bash script and a lesser-known tool called SecretFinder. In this blog post, I'll share my experience and the technical details of the vulnerability.
My recon process started with subdomain enumeration using popular tools like Amass and Subfinder. I also used crt.sh to find subdomains that were recently added or updated. After I had a list of subdomains, I used HTTPX to check which subdomains were live.

Next, I ran Nuclei and FFUF to identify potential vulnerabilities. While these tools are great for finding low-hanging fruits like exposed Git repositories, I didn't find anything critical using them. So, I decided to use SecretFinder, a tool that searches for sensitive files and directories in web applications.

While SecretFinder often yields false positives, I ran it on all of my live subdomains and found multiple Amazon AWS URLs. Initially, I thought they were false positives since I got an "access denied" message when I hit the URL in my browser. But then I tried accessing the subdomain without any path and found that it threw the error "No Such Bucket."

This error message indicated that the subdomain was pointing to an S3 bucket that didn't exist. This meant that if I created a bucket with the same name, I could potentially perform a subdomain takeover. I quickly logged into the AWS console and created the bucket with the same name as the subdomain. To my surprise, I was able to upload files to the bucket and access them using the subdomain.
The impact of this vulnerability was critical, as an attacker could potentially access sensitive data stored in the bucket or even upload malicious files that could be executed on the victim's system. I immediately reported the vulnerability to the company, and they acknowledged it within a few hours. They also awarded me a bounty for my discovery.

In conclusion, my experience highlights the importance of having a unique recon approach and using lesser-known tools to find unique vulnerabilities. While popular tools like Nuclei and FFUF are great for finding low-hanging fruits, they may not always identify critical vulnerabilities. By using a combination of tools and custom scripts, you can increase your chances of finding unique vulnerabilities that other bounty hunters might miss.

Comments

Post a Comment

Popular posts from this blog

Most Important Linux commands that Nobody Teaches You

-
Image
Linux is a powerful operating system with a vast array of tools and utilities available to users. These tools make Linux an attractive option for system administrators, developers, and power users who require a flexible and customizable environment. In this article, we will look at some essential Linux tools and utilities that can help you manage your system more efficiently. Rsync Rsync is a popular command-line utility that is used for file synchronization and data backup. It allows users to copy files and directories to a destination, similar to the cp command, but with some added features. One of the key benefits of using Rsync is that it allows you to copy files to remote locations, making it an excellent choice for backup purposes. Example usage : $ rsync -vap --ignore-existing <source_file> <destination_file> Key flags: v = verbose r = recursive p = preserve permissions g = group o = owner a = archive --progress = progress bar Mkpasswd Mkpasswd is a simple but useful
Read more

Unleashing Bug Bounty Success: Subdomain Enumeration, Content Discovery, and Vulnerability Scanning Approach

-
Image
Subdomain Enumeration  Subdomain enumeration is a critical aspect of robust cybersecurity practices. By employing effective tools and techniques, professionals can enhance their ability to identify potential vulnerabilities and uncover valuable information. In this article, we will explore recommended tools and methodologies for subdomain enumeration to optimize your security efforts. Knockpy, an exceptional subdomain enumeration tool, provides valuable insights into response codes and server details. To leverage its capabilities, execute the following command using Python3: python3 knockpy example.com While encountering response codes such as 404 or 403 may initially appear discouraging, it is crucial to thoroughly investigate these subdomains. Hidden within these seemingly unremarkable sites, valuable discoveries may await. For comprehensive subdomain enumeration, we highly recommend the utilization of "assetfinder." This powerful tool can be executed using the following co
Read more

Enhance Your Bug Bounty Journey with the Tools and Binaries of Bughunt3r Virtual Machine

-
Bug bounty hunting requires a comprehensive toolkit to uncover vulnerabilities and secure web applications. In this blog post, we will explore the top 20 tools and binaries that can supercharge your bug bounty efforts. These powerful tools cover a wide range of functionalities, from web vulnerability scanning to subdomain enumeration and source code analysis. We will focus on how these tools can be leveraged to optimize your bug bounty workflow, with specific examples targeting the domain *.example.com. Let's dive in! A virtual machine (.ova) file where almost all bug bounty tools are installed; specially burpsuite pro with license :) OS: Kali-Linux Version: 2022.1 Download link: https://drive.google.com/file/d/1Tkj3jKOvL7M08zG5JGVoqhZh50VMyM3X/view File size: 6 GB Installed top 20 tools and binaries [1]burpsuite professional [2]zaproxy [3]crlfuzz [4]ffuf [5]kite [6]dalfox [7]nuclei [8]rustscan [9]sqlmap [10]nmap [11]waybackurls [12]subfinder [13]xsstrike [14]nosqlmap [15]gitdu
Read more