Hi. My name is Nafiz Imtiaz and I am from Bangladesh. I am currently active on bug-bounty programs hosted on HackerOne, BugCrowd & Intigriti. This blog would be small as this is my first blog post ever! So mistakes are bound to happen & I am open to suggestions as I am nothing but a keen learner like you. As my learning journey expands. I will try to write more & frequently. So without further ado. Let's start!
It has been a few months since I started working on a program in HackerOne. I already reported them 2 of my bugs but they weren't any special, mostly informative & duplicate submissions. One thing I learned throughout my learning is to take note of any endpoints or suspicious/interesting stuff. I implement this in my hacking journey, noting down every interesting endpoint that seems suspicious or weird to me. things like outdated login panels, 403 URL endpoint, outdated CMS versions, etc were included in my day-to-day notes with time stamps. Now many of you might be asking what would be the ideal note-taking apps to get your work done & also without spending a buck! I can vouch for a few note-taking apps that I used earlier.
1. Cherrytree: best for taking notes on CTF and small to medium levels of notes can be taken
2. Obsidian: It's the best for note-taking. but synchronization is what it missed like Cherrytree. If you can pay for it it would be the best feature-rich note-taking tool or you can move to the app I use
3. Notion: A decent tool for note-taking & good organizing functionality for your notes. free synchronizations across the web, Desktop app, and mobile app. So let's jump to the actual bug that I found.
When I was hunting for mainly access-control issues, I found a couple of 403 endpoints that were not bypassable(or maybe I am not there yet:D), So I thought " Why not note them out for when I find some bypasses, I can apply on them". so I note them down and move on to the next task. I submitted a bug apart from that but it wasn't accepted. then my exams got started & I limited my hacking time to a few hours a day. So one day I was casually looking through my notes(It's a good habit to build). I found that endpoint I noted one month ago. It was clearly stated 403 forbidden, so I said "Let's see the endpoint, it won't hurt that much" After opening it, I was like"How on earth this can happen" The endpoint was open and accessible and in front of me was a huge list of users PII in JSON objects format. after verifying the information I reported it to the team and the bug was acknowledged but they didn't consider this an impactful one. So I respected their opinion and moved on to find the next impactful bug.
This story might not have a happy ending. but a lesson was learned. Always check your notes even after months, they might have got you something just ready to be uncovered in my case! I guess I wasn't prepared and was impatient without verifying properly about the impact. Don't make the mistakes I did and properly check for impacts more than you check for vulnerabilities.
So that is it for today, Hope you learned something from my mistakes as I am eager to learn and give back to the community as the community gave me a lot.
bye!