Discovering a Critical Subdomain Takeover Vulnerability with a Custom Recon Approach

As a bug bounty hunter, I'm always looking for ways to improve my recon process to find unique vulnerabilities. Recently, I discovered a critical subdomain takeover vulnerability using a custom bash script and a lesser-known tool called SecretFinder. In this blog post, I'll share my experience and the technical details of the vulnerability.
My recon process started with subdomain enumeration using popular tools like Amass and Subfinder. I also used crt.sh to find subdomains that were recently added or updated. After I had a list of subdomains, I used HTTPX to check which subdomains were live.

Next, I ran Nuclei and FFUF to identify potential vulnerabilities. While these tools are great for finding low-hanging fruits like exposed Git repositories, I didn't find anything critical using them. So, I decided to use SecretFinder, a tool that searches for sensitive files and directories in web applications.

While SecretFinder often yields false positives, I ran it on all of my live subdomains and found multiple Amazon AWS URLs. Initially, I thought they were false positives since I got an "access denied" message when I hit the URL in my browser. But then I tried accessing the subdomain without any path and found that it threw the error "No Such Bucket."

This error message indicated that the subdomain was pointing to an S3 bucket that didn't exist. This meant that if I created a bucket with the same name, I could potentially perform a subdomain takeover. I quickly logged into the AWS console and created the bucket with the same name as the subdomain. To my surprise, I was able to upload files to the bucket and access them using the subdomain.
The impact of this vulnerability was critical, as an attacker could potentially access sensitive data stored in the bucket or even upload malicious files that could be executed on the victim's system. I immediately reported the vulnerability to the company, and they acknowledged it within a few hours. They also awarded me a bounty for my discovery.

In conclusion, my experience highlights the importance of having a unique recon approach and using lesser-known tools to find unique vulnerabilities. While popular tools like Nuclei and FFUF are great for finding low-hanging fruits, they may not always identify critical vulnerabilities. By using a combination of tools and custom scripts, you can increase your chances of finding unique vulnerabilities that other bounty hunters might miss.

Comments

Popular posts from this blog

Most Important Linux commands that Nobody Teaches You

How to use BloodHound and BeRooT for privilege escalation in Red Teaming Assessment.

Enhance Your Bug Bounty Journey with the Tools and Binaries of Bughunt3r Virtual Machine