500$ Bounty in just 5 minutes through Recon!!!!

Hello Security folks, Here is interesting finding which I want to share. As you know i only write if it’s unique finding or if my approach gives some better result. Here is my Twitter and Linkedin.

As you know everyone does recon on their target. Maximum time the recon process/flow is same for everyone.

The recon flow goes like :-

subdomain enumeration through (amass, subfinder, crtsh, etc.) →→→→→ getting live subdomains through httpx →→→→→ then running scanners like nuclei, ffuf, etc

Based on the flow that i just described, many folks gets duplicates which simply reduce their reputation (on HackerOne).

Main Story :-

So i did my recon with my custom bash (mostly same process as described earlier) and i didn’t got any success. We often read source code as our next step. I am too lazy to read all the source code so i simply ran secretfinder tool, which many times gives false positive. But after running secretfinder on all of my live subdomains, i got multiple amazon aws urls which were false positive but one amazon url caught my attention.

As soon as i hit the url in browser, i got access denied. I thought it’s safe since we were getting access denied message.

I randomly thought of accessing the subdomain without any path and guess what, the subdomain threw classic error “No Such Bucket”. I immediately logged into aws console and created bucket and i was able to perform subdomain takeover.

Report sent, bounty received in 1 day !!!

The most important thing to remember is that while the recon flow is often the same for most bounty hunters, this does not guarantee that you will receive duplicate information. A little bit of extra labour can yield excellent results.



Security Ananlyst.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store