The bugs: List of weird bugs
Hello hackers,
A bug can be described as a flaw or error in a software program or system that causes it to behave unexpectedly or not as intended by its developers.
Bugs can be of different types like technical bug, logical bugs.
Technical Bugs are those vulnerabilities that arise due to flaws in the implementation or design the of the software. Common example of it includes:
- Cross-Site Scripting(XSS)
- SQL Injection (SQLi)
- Local File Inclusion (LFI)
- Remote Code Execution (RCE)
Whereas logical bugs are those vulnerabilities that arise due to flaws in the logic or behavior of the software, rather than specific technical implementations. Example of logical bugs are:
- Authentication Bypass
- Authorization Flaws
- Business Logic Flaws
You can learn more about above mentioned bugs from portswigger and many other resources.
Now coming to the point, beside these widespread popular technical and logical vulnerabilities there are many more weird bugs that are seen wildly in real world web applications.
Many beginner bug bounty hunters gets easily demotivated, frustrated cause they could not find any technical and logical vulnerabilities, which cause negatively affect in their about to begin cyber security journey that is why
I am going to talk about some of those weird bugs that i came across while hunting in different VDPs and BBPs, hoping that it will help new aspiring bug bounty hunters/ security researcher like myself to find vulnerabilities and kick start their journey, also help them mentally.
Verbose error messages
I believe this bug also come into the logical. There was a cloud OS meaning it is a type of lightweight software that stores data and provides access to web-based applications from a remote server.
Lets call it target.com. It had very few functionalities signup, login but whatever the reason i couldn’t signup in it. I moved to login functionality I tried some default username password to see how it behaves.
i tried admin:admin and i got following response
{"status": "ER","xhtmlcontext": "",
"instance": "006",
"error":
{"errorcode": "4","errornotes": "invalid passwordhash","endpointhelp": "https://docs.target.com/endpoint_logon","id": "0"}}invalid passwordhash huh, that’s something then i tried asdsada:admin and got following response
{"status": "ER","xhtmlcontext": "",
"instance": "003",
"error":
{"errorcode": "4","errornotes": "invalid logon","endpointhelp": "https://docs.target.cloud/endpoint_logon","id": "0"}}There was not much in this but with this one can enumerate users, valid passwords and so on. I didn’t think it was that impactful but reading their VDP policy they mentioned “Low Level report that could have a minor impact on confidentiality of the target cloud service” So, i thought it’s worth reporting and reported. It was fixed right away And got the following response.
I reported another report mentioning improper firewall implementation and got another reward from them.
Personal Identifiable Information Disclosure Via Notifications
It is claimed to be India’s largest storytelling platform nojoto.com, When i was just starting out in bug bounty hunting i added this target in my bug bounty directory but could not find anything at that time. While looking at my google drive i found out about this and decided to hunt on this.
This is kind of like tiktok where people can post short videos and all. I signed up we can signup using Oauth, indian number. I tried to signup from number and checked if there is any rate limiting mechanism implemented or not. Sadly there was a rate limiting and it was user based rate limiting meaning that it restricts access based on the user account making the request.
I tried to bypass it using different methods but no luck so i signed up using Oauth. Whenever a new account is created a default notification pops up, it’s basically a welcome notifications from the official nojoto account. I tried to look here and there on just surface level, while looking through requests and response from network developer tool, i saw an endpoint
/api/v1/notifications.php?cid= while looking at the response i was amazed the information i was getting. It was everything, yes i mean it literally like everything from registered number, email, DOB, address, linked social handles, amount of money they have earned, last withdrawn and many more. I was not sure if this is for only nojoto’s offical account or for other account as well. So, i created another account A and followed my another account B, i got another notification in B. Checking response of that endpoint i was seeing everything about my account A.
I reported it, i was able to find this bug in less than 15 mins. They surely took their time to reply but they gave me a beautiful certificate of appreciation. I repoted one another bug in it and recieved another certificate haha.
Sensitive Information Disclosure via Directory Listing
This is a renown university located in USA. Let’s call it taget.com, while looking for bugs in it, i couldn’t find anything. It was a wordpress website.
It had everything intact for countering security issues, proper input sanitaization, CSRF tokens, rate limits. I wanted to see if it’s origin IP has the same technology used. So, i used my shodan extension and click on the IP.
I was able to see all the source code of the wordpress including config files which contained DB_username and password.
I reported this to the concerned authority and got the following response.
That’s it haha.
Stored Cross Site Scripting
This is not so weird but popular technical bug. Yes, you are correct. XSS requires very good knowledge of javascript to craft a payload but sometime simple payload can work like a charm as well
Lets call our target, target.com. It is digital learning tool developing company. It had pretty much everything but not properly configured. I created an account while creating account, i put following payload in every possible input field
"><img src=x onerror=alert('xss')>after creating account, i refreshed the main domain once again, i got login option. I clicked on it and then i got the alert box.
It was easy bug and i have already reported another bug to them but their response was not very appealing. So, i didn’t try to chain or levearge XSS. I reported it to them and they consider it as medium, for medium reports they didn’t provide any reward. I didn’t try to argue or anything because of their delay in response, just left it as it is.
Source Code exposed Disclosue via Exposed .git
let’s call it target.com as well. Here, git extension helped me to find it. I was surfing the website and got hit in git extension. I fired up git-dumper and dumped everything from it. And got following result:
I reported it, but i have not got any response from them. whatever haha
Filling up server space with unwanted emails
While analyzing javascript source code, i got a function for submitting all the contact form data to a server, the function included base url of the server.
I created a curl command to test if i can send the email or not.
I got following response.
I am not sure if this will be considered a valid bug or not let me know in the comments. I just want to show you that analyzing js file can help you find different bugs.
I have many more but i think this is it for today. It is already very long. I hope this blog will help you while starting your journey in bug bounty.
That’s all for today. Happy hacking, keep hunting ❤
