Don't Ignore jpg files in Bug Bounty | $700 Rewarded

For some time now, I have dedicated myself completely to working as a Bug Hunter on platforms such as Hackerone, BugCrowd, Intigriti.

That's why I decided to share some of my experiences on this blog, I'm always open to questions about Information Security that are to improve everyone's knowledge.

I'm always learning more and more from what I read here and elsewhere where we can find detailed information on how to improve the way we work.

I am adept at textual learning, because I feel that I can pass on more details of what I am doing, in a few cases I watch videos related to this topic, from today I will be dedicating part of my time to contribute to the information security community and so too being able to pin down everything I've learned on my Bug Bounty journey over the years.

Ever since I started doing bug bounty I've always seen videos on youtube where researchers activated filters in burpsuite to ignore jpg, png, ttf, woff and other files.

So I started thinking what kind of vulnerabilities these requests could contain, since most researchers ignore them, it would be interesting to think outside the box and look for new ways to analyze these requests.

So I took the filters out of my BurpSuite proxy and started digging a little deeper, navigating the site manually, clicking every button I came across, testing every feature. As I always do during my vulnerability research.

After a while, I realized that there was an option for the user to keep private photos in a kind of directory, so I thought of testing to see if I could somehow access the content of other users, since, due to the fact that they are private photos, they should not be accessible to other unauthorized users as well as those who were not logged into the site.

Just then I started noticing a random number with the .jpg extension

It was then that in a private program I came across something different than usual.

https://target.com/private/album/25634789595678.jpg

First I tried to change the name of the .jpg files without being logged in to the website, but I was unsuccessful, a 403 Forbidden code was returned.

Being logged in with my username and password, and changing the numbers manually was taking too long, so I did a brute force using BurpSuite to speed up this process, and only then after some time did I manage to get a 200 OK code indicating that a valid filename was found with that random number generated .

It was a bit difficult to find a valid number through brute force, but I was rewarded with $700 medium severity.

After that I started to look carefully at places that most researchers usually ignore, and I was positively surprised in most cases.

That's why we should keep in mind that blindly following what the majority thinks is right can make you miss out on great reward opportunities.

A good tip for the case of this specific type of failure is to look for companies that have features that privatize images, videos and other files that are generally considered harmless in terms of security, but which must have access restrictions.

There are images that contain QR Codes with sensitive information that may have problems with access restrictions as well, these QR Codes can be for password recovery or other types of authentication, which makes it even more severe to report.

Don't forget to also check which image bank is used by the company, because through it you can have access to unauthorized images and thus report more access failures. sometimes, due to a bad configuration by the developer, access permissions are open to the public, thus allowing everyone to access.