I started with usual subdomain recon of a google acquisition(VirusTotal).This time I used a online subdomain finder service https://subdomainfinder.c99.nl/ for finding subdomains quickly.
Then I found a subdomain grafana.internal.virustotal.com ,The word internal in the subdomain made me visit that page due to my curiousity.
But unfortunately ,It’s only for authorized users. I searched for grafana endpoints visited /signup and tried to signup for new account,It showed sign up disabled.
Then I thought if oath sign in was allowed ,I could try logging in using Google, Github or any other service. But everything was disabled for new user sign up.
I was looking for blogs on GoogleVRP reports as well as noting down it’s popular aquisitions.
Then I found a blog (https://tutorgeeks.blogspot.com/2018/08/misconfigured-jira-setting-apigee.html ) which talks about unauthenticated Jira instance leaking dashboard name ,project title and user profile picture by applying filters.
It also mentions ,the website supports only logging in with @apigee.com email address,So I thought why not try logging in using Google OAUTH. I signed in using my Gmail account and got successfully logged in !!!
Now I visited https://apigeesc.atlassian.net/jira/dashboards?view%3Dpopular ,it was leaking dashboard names and project titles along with user display pictures.
If you visit the link unauthenticated…
This is one of the easiest bug that I have found in a private bugbounty program.
The program had two of it’s browsers in it’s scope. I was testing for RTLO related bugs,I found that the downloads section of the browser was rendering the rtlo characters in the improper way.
RTLO characters are “Right-To-Left-Override” characters which is rendered from right to left ,unlike English which is rendered from left to right.
I made a quick POC,
<a href="Link_TO_File_With_RTLO" download>apk rendered as txt file in browser downloads click here</a>
I named a file as textfile%E2%80%AEtxt.apk, which…
This is a story of CORS bug that I found in one of Google’s aquisition -Kaggle,Where I got rewarded for CORS bug in 404 page.
One fine day I was looking at one of the aquisitions of Google-(Kaggle),Kaggle is used worldwide by Machine Learning community and is pretty famous.
I tried looking for CSRF bugs all over website but everything went in vain.I also searched for CORS misconfigurations but couldn’t find anything useful. …
If You think WhatsApp is totally safe and your Profile Picture is visible to people only in your contacts or depending on your privacy settings then you are totally wrong.
I found a bug in WhatsApp through which any 3rd Party App with only read Storage Permission can access your WhatsApp profile Picture no matter What or How Secure your profile visibility settings are.
Let’s Go into the details of the bug:
The orginal profile picture is stored at location “/data/data/com.whatsapp/files/me.jpg” ,internal storage location which is accessible only to WhatsApp,not even visible to you if you browse through a normal…
This is a low hanging bug ,I discovered in Google ,This blog is going to be to short and to the point.
I followed the usual Recon process after enumerating subdomains ,
I selected https://datastudio.google.com.I tried to check for popular vulnerabilities XSS,CSRF,SSRF and What not!!!
But couldn’t find anything .Then I tried to see the features in the website.There was an option to EMBED any site in a report .
I embeded a site and watched the request through BURP suite,I couldn’t believe my eyes ,Private link of the document was passed as referer header to the EMBEDED link.
So If you have read the part 1, You would have seen that I found a stored-self Xss in manager.skype.com which was getting escalated in the option(“make the USER as admin of group_name”) as group_name was not properly sanitized there.
Here’s what I did to affect other users,You just need to create a invite link and make a user join your group.
Once ,the user joins your group ,You just need to make him as admin using the option I mentioned earlier.(requires no user interactions once he joins the group)
Once user is made as admin ,He will…
To keep it simple ,I want to make this blog to the point ,instead of writing a script for MahaBharath !!!
How It all started?
I was thinking of services provided by microsoft, Skype came to my mind.
I tested out skype but couldn’t find anything ,Then after some usual recon ,I found a subdomain manager.skype.com.If your visiting the website as first time the following pop up will appear asking for name of group.
I entered the payload “><svg/onload=confirm(document.domain)> and clicked continue.
Guess what ??? Nothing happened then ,I visited My profile Section and was surprised too see…