How i found Multiple Bugs on E-commerce Website
Hello Folks, This is my first bug bounty writeup i’ll try my best to explain it properly.
So recently i was testing an e-commerce website, for now let’s call it target.com
Bug 1: Open Redirection
What is Open Redirection?
Open redirect is a type of web application security issue that allows attackers to use your business reputation to make phishing attacks more effective. If you allow open redirects, an attacker can send a phishing email that contains a link with your domain name and the victim will be redirected from your web server to the attacker’s site.
While browsing the website i noticed that this e-commerce website was fetching the items from internal server by a get request.
https://target.com/SOMETOKENS&token=UNIQTOKEN/?item_N=PRIVATEADDRESS
Just by changing the private address to any other domain it got successfully redirected. but the issue was the tokens used in get request the one way to by pass is that remove the token parameter from the url and it worked perfectly.
Eg:
https://target.com/?item_N=https://malicious-website.com/
Easy One :D
Bug 2: SSRF
What is SSRF?
Server-side request forgery (also known as SSRF) is a web security vulnerability that allows an attacker to induce the server-side application to make HTTP requests to an arbitrary domain of the attacker’s choosing.
In typical SSRF examples, the attacker might cause the server to make a connection back to itself, or to other web-based services within the organization’s infrastructure, or to external third-party systems.
Bug:
At first glance i tried the open redirection and it worked fine then i though if the application is fetching the item’s details from the internal network. What if i try to access other internal ip’s
So i tried to access 127.0.0.1
https://target.com/?item_N=http://127.0.0.1/
but no luck with this so i tried multiple payload’s and at last i successfully Bypass localhost with CIDR
https://target.com/?item_N=http://127.127.127.127/
Sensitive Information Disclosure:
Nothing interesting was running on localhost so i used burp to directory brute-forcing and found a folder named ftp with directory listing enabled
ftp folder contained lots of sensitive information.
I quickly made an report and sent it to security team immediately in few days i got response and after explaining the impacts of both bugs they rewarded me with free $$$ shopping coupon.
Happy Hunting :
