Post

Exploiting Unprotected Functionality to Access User Profiles

  • My first step when finding a target to hack is to search for old websites using Google. You can use Google queries to find old web applications. For example, you might try using a query like the one shown in the screenshot:

d d

  • These techniques can increase your chances of finding old applications that may have vulnerabilities.

Using this method, I found an application that was indexed by Google in 2019. After specifying the application with the query site:target.com, I discovered more URLs related to the website. One URL caught my attention:

target.com/profile_center.aspx?qs=s4srd4sfd4tsfd5sg5sd5sd5sd5sd5x6f6s55f7s58s5

What happened next surprised me. I was able to access someone’s profile and edit their name, address, email, and description. After this, I used the following Waymore command:

1
waymore -i sub.target.com -mode U -c ~/tool/config/waymore/config.yml -oU sub.target.com.waymore

This helped me gather a list of URLs related to the target, using sources like the Wayback Machine, URLSCAN, and more.

After running:

1
cat sub.target.com.waymore | grep "target.com/profile_center.aspx?qs="

I retrieved six unique values for the qs parameter, giving me access to six different accounts.

This is a case of unprotected functionality, where the app lacks proper access controls. As a result, an attacker could directly access user profile management features simply by navigating to the right URL.

I reported it, and HackerOne analysis marked it as medium ;( because of an unpredictable ID, and I got a $500 bounty.

```

This post is licensed under CC BY 4.0 by the author.