In this journey, I will share my experience with a valid report I submitted. This will be a series until I discover new vulnerabilities. 😊 Let's begin!
I chose a Vulnerability Disclosure Program (VDP) because, as you know, there is usually less competition in such programs.
After selecting my target program, I started with the classical reconnaissance phase. Unfortunately, by the end of the recon, I hadn't found anything significant.
That's when I decided to try one last approach.
I retrieved the favicon.ico hash of the main application and searched for it on Shodan. This led me to three IP addresses running the same application.
Next, I initiated directory fuzzing using the following command:
dirsearch -e conf,config,bak,backup,swp,old,db,sql,asp,aspx,aspx~,asp~,py,py~,rb,rb~,php,php~,bak,bkp,cache,cgi,conf,csv,html,inc,jar,js,json,jsp,jsp~,lock,log,rar,old,sql,sql.gz,sql.zip,sql.tar.gz,sql~,swp,swp~,tar,tar.bz2,tar.gz,txt,wadl,zip,log,xml,js,json -u https://target.comThis is my general command for directory fuzzing when there is no specific technology to focus on.
During the directory fuzzing phase, I discovered a backup.zip file on one of the IP addresses.
I immediately downloaded and analyzed the file.
To my surprise, it contained everything an attacker would need, including source code, configuration files, and credentials for SSH and FTP access.
I reported this issue, and it was accepted as a high-severity vulnerability.
Lessons Learned:
After finding the backup.zip file, I checked the other two IP addresses to see if they also had the same file.
Surprisingly, they didn't, even though they were running the same application.
If I had started my testing with the other IP addresses, I likely wouldn't have found this vulnerability and might have missed the opportunity to dig deeper into the program.