Hello hackers, it’s been a while and I haven’t write anything about my finding. So, I decided to share one of my interesting findings. I am not allowed to share the organization name so I will be using redacted.com as the main domain.
Then I started looking into all requests of admin.redacted.com in burp. I saw an interested endpoint /backend/admin/user/user-menu.json in which the cookie header having PHPSESSID and some extra server-side cookies.
So, I thought why not try to explore the endpoints /admin/dashboard, /admin/user, /backend, /admin/user/backend using those cookies, and yayy I can see all details of the admin panel which is exposing server-side sensitive information. I was only allowed to browse endpoint by forced browsing to the path with cookies, when I manually try to browse by clicking on the website then again I was redirected to the login page. So, I can see details only by forced browsing the path with cookies I have.
October 21, 2020 — Reported
October 26, 2020 — Triaged and Bounty awarded
December 10, 2020 — Fixed.
Thanks for reading, hope you learned something new. Do clap and share if you like. I will write more of my findings soon so, stay tuned for my next write-up.