ATO | How I exploited security issue to take over admin account
<p>Few days ago I came across one bug bounty program of an booking website lets call <a href="https://redacted.com/" rel="noopener ugc nofollow" target="_blank">https://redacted.com</a>, it was interesting website with multiple functionalities and some creative features. I don’t often write about findings of bug bounty but this one will be worth doing it as there are ups and downs and multiple chaining of security issues.</p>
<p>Understanding <a href="https://redacted.com/" rel="noopener ugc nofollow" target="_blank">https://redacted.com</a> :<br />
this website was Providing subdomain for business to create own booking page, embed form for input, reviews, information related to service — description ( which was important in this case ) etc etc.</p>
<h1><strong>Recon :</strong></h1>
<p>as usual I scanned for company assets and found one zabbix portal open for all. I was able to login with default creds, I quickly submitted the issue and was rewarded immediately.</p>
<p>I decided to go through complete website and to understand it well. as I recently started bug bounty and was not having consolidated plan around testing I decided to stick to this website until I find something crucial.</p>
<p>I started testing randomly and was not aware of complete features, so it went with asking few question to myself while exploring this application like what is the feature ?, what’s use case ?, what developer can miss while building it in phases ?, this was the time where I was exploring and understanding the website from corners.</p>
<p>I registered for account and started registration process…, this was my first startup called “bounty spa” I registered with this name and randomly in description I pasted xss payload.</p>
<pre>
<img src=1 onerror=alert(1)/></pre>
<p><a href="https://ar1fshaikh.medium.com/1st-ato-how-i-exploited-security-issue-to-take-over-admin-account-e0ae309dc356"><strong>Read More</strong></a></p>