An interesting idor that allowed me to See all projects ($$$$ Bounty)
Hi all today i will share an intresting i dor that i found in a one of hackerone private programs that allowed me to disclose all users private projects without there permission : )
intorduction:
it was a normal day as anyday and i get an invite from a private program so i said why dont i take a look on it so i grab a cup of coffee and enter the website and start testing it as a normal user
I made a project and make it private one then i decide to open project link in private browser and that was result
I notice that it wasnt found but before that i notice that its uploaded on main website, so i keep thinking about what to do next and i decide to go deeper and check some subdomains.
Tio: just because main domain is secure that dosent mean subdomains are also secure : )
After checking few subdomains i notice one of them that contain same login page of the main website so i directly try to login with same credinals i used in the main websites and i was surprised that i was logged in so that mean another chance for idor :D
I go to one of projects and that was result
Still didnt opened so I opened it in a new page and here was the surprise:
Its uploaded in another subdomain like that: uploads.target.com/get_image/project/577213875_282x210.png
Its clear now that i have to change project id and thats what i did and surprise was that it worked and it taked me to another user project but i wasnt clear if it disclose private projects, so i go to private browser and put my private project id that i created in first time when i opened in the main website and i was able to view it even without login.
I reported that and that was result:
Accepted rewarded and resolved as critical but i didnt stop here i keep going more deeper and i was able to get another subdomain with another function that allowed me to do same thing and i could double my bounty
I hope this article was clear and hope it gonna help some of you follow me on twitter if you want more https://twitter.com/hamzadzworm
