How i was able to R3@D !NT3RN@L (H@T of a private Website

Various Possibilities to Find Crucial and Critical BUG!!!

Hi Friends!!! Welcome to MultiVerse Bug Bounty Blog , here we love Hacking More than Joker likes to say "Why So Serious?". 

This is Pratyush and today we are going to see a more critical aspect of Bug hunting as somehow i found this bug from somewhere which many people consider as NO-Where to find a critical bug. This time i am again going to go for the "RESPONSE" of the server , if you haven't been through my last blog post than Please read it here.   

So this was the time of my life where i was reporting bugs and getting few responses from private websites who were just stepping to bug bounty programs and i was lucky to get them on the first place. I will keep it very short this time because i don't have much to explain. Just a simple "tip" that might make you lucky enough to get a pretty much good bounty.

 

So i was in some serious mood to hunt down few good quality bugs(this means that there is some need for which i need good bounty to full fill it) and i was testing Not this site for some IDOR/Authentication related bug to make a big time bounty out of it. 

 

So i went ahead and searched for CSRF to see if we can takeover the account via CSRF but no luck as it has a proper Anti-Forge Token implementation which was properly being validated on the server side. Now i was checking for IDOR and still no better luck in it!!! With frustration i thought of checking the "Response" of the server to save my account details "Requests" and in first attempt i missed this bug and i went further to check all the details but missed this particular line of code :( 

So i checked again in the "Response" and i found this particular line where it said that there is a web url to their internal chat application as you can see below(sorry for the poor quality of my phone camera)...

 So basically, i can see that i have a url to their chat application , but i know that it will be definitely protected with unique Username and Password , so if also i get the Url and i am unable to see any sensitive data than there will be no bounty paid and even they won't consider this as a bug itself. So with some hope i browsed that url to see if it's open directly without any authentication but No Luck!!!

But if your luck supports you for 1% also than you will find something and mine was a lucky day so i saw the below option on my screen....

I know what you are thinking , it says new user registration is disabled(because i have reported it and they have disabled it) but on that lucky day it was enabled and i just simply registered in their chat application and it allowed me to login as a normal user(i have somehow forgot to take a screenshot of the web url when it was vulnerable and am sorry for that).

So after logging in , i was provided with a group chat named as "#General" and i was able to read many chats and even i was getting contact details and which user is "Admin" and who are having less permission , everything was clearly visible as the chat application added me as an user to the chat. For POC you can see the below screenshot...

Baam!!! I got in and i was able to read many sensitive chats inside the organization in the other channel they have(Can't provide that Screenshot because it contains many Critically Sensitive Details). So for reporting this one i got one heck of a bounty.

So guys never take a chance of skipping the "Response" part for any request , you may find something which will be unique and might give you a hell lot of $$$.

Thank you for reading :) 😍😁😄

Keep Hunting and Keep Learning ♡