Exploiting Unprotected Functionality to Access User Profiles
- My first step when finding a target to hack is to search for old websites using Google. You can use Google queries to find old web applications. For example, you might try using a query like the one shown in the screenshot:
- These techniques can increase your chances of finding old applications that may have vulnerabilities.
Using this method, I found an application that was indexed by Google in 2019. After specifying the application with the query site:target.com, I discovered more URLs related to the website. One URL caught my attention:
target.com/profile_center.aspx?qs=s4srd4sfd4tsfd5sg5sd5sd5sd5sd5x6f6s55f7s58s5
What happened next surprised me. I was able to access someone’s profile and edit their name, address, email, and description. After this, I used the following Waymore command:
1
waymore -i sub.target.com -mode U -c ~/tool/config/waymore/config.yml -oU sub.target.com.waymore
This helped me gather a list of URLs related to the target, using sources like the Wayback Machine, URLSCAN, and more.
After running:
1
cat sub.target.com.waymore | grep "target.com/profile_center.aspx?qs="
I retrieved six unique values for the qs parameter, giving me access to six different accounts.
This is a case of unprotected functionality, where the app lacks proper access controls. As a result, an attacker could directly access user profile management features simply by navigating to the right URL.
I reported it, and HackerOne analysis marked it as medium ;( because of an unpredictable ID, and I got a $500 bounty.
```