My first Critical Bug
2 min readJun 23, 2021
- Hello everyone this is my first writeup in medium.
- I am a cyber security student.
- I like to learn new things in cybersecurity field, and want to improve myself everyday.
- I recently participated in Bug Bounty Programs
I usually forget to look at the scope of program 😅,because of which all the vulnerabilities I report to program was considered not applicable 💔. - Recently I enrolled in a program(example.com),and I started my usual path of finding subdomains and if I find some interesting domain,then I will do directory brute forcing on it.
- Then, I found example.com/admin directory and I saw a login page.
- I used default credentials to login into it and it was not successful.
- Then, I looked into the source code and then I did not get anything useful until i noticed javascript file link in the bottom of source code.
- It was like example.com/admin/xyz/jQuery.js.
There was no useful information there , but then I tried to move one directory back (example.com/admin/xyz), and it was 403 page. - I moved another directory back(example.com/admin), and I saw the dashboard.
- I was admin, even without logging in as one.
- If I directly try to access example.com/admin, it asked for a password, but, if I repeated the previous steps,it did work and I was admin again.
- I did not know why it was happening, and I reported it to program.
- It was my first Critical bug, and I was excited.
- As usual, it was out of scope, and it was tagged as not applicable:-):-).
- I decided to not repeat this anymore, and will find more bugs in future.
- If you know why the application behaved in this way, and why did this security flaw happened, or if you want to contact me,
Ping me here http://twitter.com/abhishek3141Pie