Crazy Simple Insecure Design & 300$ Bounty!

Hi guys, I’m Saransh Saraf, An Indian Bug Bounty hunter & Security Researcher (I’ve also done LAMP Stack Development)and this will be a series of Logical Bugs….👾 before we explore this I want little help, If you get rewards or HoF from this give some credit 😼 You’ll get my social links at the end of this article.

Insecure Design : Asset verification error leads to information disclosure

Few months ago I’ve found an article of IP Grabber Bug which is also known as “pixel that steals data” here you can learn basics about this pixel data stealer bug..

Simple enough right? a month ago I was testing a platform target.com and it was a website builder platform, I didn’t found much bugs there so I was looking for some unique bugs… I was looking at the console tab of a subdomain ex: sub.target.com and I saw a 403 error on 3rd party service the website was using, After investigating it a bit I’ve found that it happening because of Same-Origin & CORS Implementation…hmm Interesting though here you can learn more about Same Origin Policy

“The same-origin policy is a critical security mechanism that restricts how a document or script loaded by one origin can interact with a resource from another origin.” this line gave me a hint for the pixel data stealer, And I began to think “Okay, but how can implement it here

Well as you know that the website allows us to create other website, for that we have an option to create a team project

Project Dashboard

After Exploring/Intercepting the Settings/~Requests I found a insecure design issue here is the workflow of the website:

Project Logo → Upload → Back to frontend with URL → Then Save it to User Profile (From the Front end)

Now you’re getting Ideas right..😋

What we’ll do : we’ll upload an Image and when the Application will send the post request we’ll replace it with our IP Logger BIN (URL)

But wait what about the Same Origin ? I totally Ignored it and tested my attack and It turns out that it was Misconfigured and my attack was successful, I got the IP, Location, ISP & User Agent of the Victim, he just have to visit the project dashboard on his/her end.

Wait !! this is not it 🤗

I Again Started to explore more, I again got this same issue on the “Site Builder Section”

Site Builder

It got me 300$ in total till now for 2 Resolved issues, 1 more triaged & 3 Active Submissions.

Summary :

1. Upload an Image to any logo/image upload form →

2. See if the response is coming or not →

3. now hit the save button →

4. See if the application is sending the Image url or not →

5. If yes replace it with the IP logger BIN (URL)

Hope You Enjoyed It, If yes make sure to clap for me :) Don’t worry PoC will be Out soon 🤝😼

Connect with me/ Give a mention & Credit

My Teammate

Instagram

https://www.instagram.com/sarans0x00h https://www.instagram.com/harsh_ban_

A big Thanks to my seniors, friends and enemies :)

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Saransh Saraf aka (MR23R0)

Saransh Saraf aka (MR23R0)

A bug bounty hunter and ethical hacker from india. I also love to code and make new web functions and websites with amazing features.