Power of Your Own Wordlist — Fuzz for Log File Leads to Information Leakage
This is another story of my recent finding of sensitive information leakage. The target is a big hotel and resort Group which has operation in over 10 countries over the world. As I am not allowed to disclose the detail, I would use redacted.com as the target site and all parameters and directories shown in below passage are all made up.
This passage mainly about how I use my own wordlist to find this sensitive endpoint and how you can make a wordlist on your own. So, let’s begin:
Recon
During Recon stage, I found a subdomain called api.redacted.com. So, I try to access api.redacted.com but it returns 404. But it arouse my interest of what may contain in the subdomain. Thus, I decided to fuzz this subdomain mainpoint using ffuf.
Fuzzing
In case you are not familiar with ffuf, you may refer to my previous story about it. I then fuzz the endpoints of this subdomain like this:
ffuf -u https://api.redacted.com/FUZZ -w wordlist.txtI currently maintained a bunch of wordlist myself. Most of these are recorded from my previous research work. In one of the wordlists of sensitive information disclosure, I found that the below endpoint returns 200:
