How I found my first $100 Bug bounty by just doing recon.
Hey everyone,
I am Dostain Aslam Baloch, and today I’m going to share the story of my first bug bounty.
The vulnerability I’ve found is known as:
Text Based Injection: Text injection or Text-Based Injection (TBI) is an injection in which user input is reflected as it is in the application response as plaintext. This is one of the ways to perform content spoofing also referred to as content injection or virtual defacement which can be used in phishing attacks.
An application is susceptible to a text-based injection vulnerability when it fails to properly validate and sanitize user-supplied input. In such cases, an attacker can supply malicious content to the application, often through a parameter value or URL. This malicious input is then reflected back to the user in the form of a modified web page, appearing as if it originates from a trusted domain. This can result in severe security consequences, such as theft of sensitive information, unauthorized actions, and potential compromise of the application and underlying systems.
Attack Type: Client-Side Vulnerability
Severity: Low
When performing an audit for text-based injection vulnerabilities, it is important to look for the following indicators:
- Reflection of user-supplied input in the page response, either through a parameter or directly in the URL.
- Use of the “Content-Type: text/plain” header.
- Presence of default error pages generated by the application.
By paying attention to these key indicators, text-based injection can be efficiently identified and addressed.
Proof of Concept
During my reconnaissance and fuzzing efforts, I stumbled upon an intriguing URL with a parameter that caught my attention. I decided to test for potential XSS and HTML injection vulnerabilities by injecting malicious payloads into the parameter. To my surprise, the payloads were not reflected back in the usual manner, but instead, they were printed as plain text within the page. This discovery was a turning point in my assessment, as it indicated a potential vulnerability in the application’s handling of user input.
This is the URL.
https://app.example.com/API/Public/Login/HasCustomSAML/web?callback=text
web?callback=example.com__has__been__moved_to::[attacker.com]
As you can see in the screenshot below that it can be used for phishing other users.
After submitting it I got an email.
Thank you for reading, it is my first article to write, and it was fun. I hope you liked it and i hope it helps you to find your own first bounty.
