Hello everyone! My name is Aditto Khandaker. I am a Penetration Tester , Security Researcher and most importantly ethical hacker. My job is to find vulnerabilities and loopholes of a website or network infrastructure and report it to the authorities for a fix so that other's can not take advantage of this vulnerability. May be sometime help developers to fix the bug by explaining them why is that a bug and how it's working. It's a collaborative effort you know. This is my first job as a cyber security professional. Before this I was a regular CTF player(I still am) and knew basics of web application testing, network testing and some python,bash scripting. Since after joining I have learnt a lot. The advantage of working in a company like mine, I got to know inside out of a web application infrastructure and the perspective of other side of an application basically a complete life cycle of developing an application. I have a colleague who helped me a lot in this journey He is a pro hacker and very helpful to others. we have found many critical, High, Medium, low vulnerabilities together on this journey.
In first few months I have focused on learning the basic of web application vulnerabilities as I had little idea about that. I spent most of my time understanding SQL injection, Cross site Scripting, Business logic, Access Control bugs. I tried to learn it from the core and understand why it's working. After some studies i spent trying to find bugs on projects assigned to me and when i got my first bug there was a dopamine rush in my brain. It was a IDOR(Insecure Direct Object Reference) bug where I could change any of the user profile by changing my id to their id. After that I start enjoying this job and continued to implement what i have learnt. Also in breaks I have taken a security session with all the developers about how we find bug, exploit it and how to secure it from hackers. We also created a cheat sheet for Developers and Quality Assurance engineers to follow when coding or testing the applications. Sometime it was frustrating but still i did enjoy that Process. Till now I have worked on many high profile government projects and found many p1 vulnerabilities on their platform and helped them to successfully mitigating it. I have almost passed an year and I couldn't realize how fast time flies. Recently I have started bug bounty for testing my skill in wild. I don't have that much time to spend so I tried in VDP's(Vulnerability Disclosed Program) and found bugs on U.S department of States, CAT, Arrow Inc on Bugcrowd and Hackerone. I am still trying to be better and enhancing my skills. Here are some list of the bugs that i have found throughout this 1 year. I have only listed High, Critical and some medium bugs blow ....
Critical:
1)Remote Code Execution via Image Upload function
2)Remote code Execution on /picture path
3)SQL Injection Vulnerability in the "REDACTED_id" Parameter
4)Remote Code execution on Profile Picture upload option
5)Exposure of Sensitive Information - Admin Panel Bank Account APIs at /set_api_keys path
6)403 Bypass Vulnerability in Admin Panel
7)OTP BYPASS BRUTE FORCE ON PASSWORD RESET LEADING TO ACCOUNT Takeover
8) Stored Cross-Site Scripting (XSS) on “/requisition-panel” endpoint
9)Stored Cross-Site Scripting (XSS) on “REDACTED/work-log” function
10)Unrestricted Access to Backend Source Code publicly accessible
11)PII(Personally Identifiable Information) Leakage on /REDACTED/loadStudents endpoint
High:
11))Accessing backend source code via /porcess-datatable path
12) Reflected Cross-Site Scripting (XSS) vulnerability on the page /print.php function
13)Stored Cross-Site Scripting (XSS) on /my-applications endpoint
14)IDOR Discloses PII Information via /reference/* endpoint
15)IDOR Discloses sensitive Information via /transId=REDACTED endpoint
16)IDOR Discloses sensitive Information via /view/REDACTED endpoint
17)IDOR Discloses sensitive Information via /123/edit endpoint
18)SENSITIVE USER DATA EXPOSURE VIA API
19)Insecure Direct Object Reference (IDOR) Discloses PII information on /youths/582996 endpoint
20) Personally Identifiable Information (PII) Leakage on /forward endpoint
21)IDOR Discloses sensitive Information via /employee/REDACTED endpoint
22)MOBILE NUMBER VERIFICATION BYPASS VIA OTP BRUTE FORCE
23) PII(Personally Identifiable Information) Leakage on /REDACTED/loadStudents endpoint
24)Sensitive Access token disclosure on publicly available endpoint
25)Unauthorized disclosure of personally identifiable information (PII) within https:Host?campus_id=1&shift_id=1&medium_id=1&class_name_id=2§ion_id=3&session_id=7 endpoint
26) Access control not implemented and Sensitive Data Access via hidden server
27) Unauthorized Dns ZoneTransfer
Medium:
28)Lack of Rate Limiting on /forgot-password endpoint
29) Cross-Origin Resource Sharing (CORS) Misconfiguration on www.host.redacted.bd
30)Sensitive File Disclosure in ?C=D;O=A path
31)Forgot Password Rate Limit Not Implemented
32)Stored Cross-Site Scripting (XSS) on /faqs endpoint
33)Reflected Cross-Site Scripting (XSS) vulnerability on cookie parameter
34)No Rate Limit on OTP send
35) UNRESTRICTED FILE UPLOAD (SVG,HTML)CONTENT ATTACHMENT
36) No Rate Limit on /password-reset endpoint
37)Information Disclosure of Deployed Services via https://REDACTED/services endpoint
38) 'gc' disable_functions Bypass via vulnerable PHP Version 7.0.33
39) Information Disclosure via https://host/notices/295/show path
40)Unprotected Web Configuration File at /web.config path and many more.......................
I will release some write-ups about how did i found critical , bugs and which methodology I have used.
If you have any question you can DM me in twitter till then .....Happy Hacking!!