Member-only story
Power of Your Own Wordlist — Fuzz for Log File Leads to Information Leakage
This is another story of my recent finding of sensitive information leakage. The target is a big hotel and resort Group which has operation in over 10 countries over the world. As I am not allowed to disclose the detail, I would use redacted.com as the target site and all parameters and directories shown in below passage are all made up.
This passage mainly about how I use my own wordlist to find this sensitive endpoint and how you can make a wordlist on your own. So, let’s begin:
Recon
During Recon stage, I found a subdomain called api.redacted.com. So, I try to access api.redacted.com but it returns 404. But it arouse my interest of what may contain in the subdomain. Thus, I decided to fuzz this subdomain mainpoint using ffuf.
Fuzzing
In case you are not familiar with ffuf, you may refer to my previous story about it. I then fuzz the endpoints of this subdomain like this:
ffuf -u https://api.redacted.com/FUZZ -w wordlist.txtI currently maintained a bunch of wordlist myself. Most of these are recorded from my previous research work. In one of the wordlists of sensitive information disclosure, I found that the below endpoint returns 200:
api.redacted.com/wp-content/uploads/api-v1.logWhen I open the website, it shows something like below:
This page discloses over thousands of messages their customers sent to the website for enquiries. These information contains their customer’s name, email, phone etc. So, I have quickly report this issue to the site.
Making your Own Wordlist
So, I guess many of you have used wordlist in fuzzing web’s endpoints. However, as most people just blindly downloaded their wordlists from public source, it always lead to dup bugs. So, making your own wordlist is very crucial to your bug hunting journey.
