How i was able to get Appreciation from the organization of a website just by changing a sign..!!!

Hi there, This write-up is for the beginners who are into the bug-bounties, and are searching for new-way of finding vulnerabilities. This was my approach, so let’s start.

The vulnerable website was, as an example : https://example.com/index.html/

This was normal to use index.html page. So i took the website, intercepted in Burpsuite and used the function of “Spidering” in Burpsuite.

I saw that there was a webpage loading as : https://example.com/hello.txt~/ (This letter/symbol is known as delimiter)

This was quite suspicious. Then, a sense came within me, of “Replacing extensions with symbol”. So, i replaced “hello.txt~” with “hello~.txt”

Nothing happened…!!!!!!

Now, went to change “hello.txt” to “hello~”

Nothing happened…!!!!!!

Thought that there is no vulnerability and it is quite decent now to “Not Report any vulnerability”

Then before closing the website, i went through technologies used in the website using “Wappalyzer” :- https://www.wappalyzer.com/

While going through, i saw that “https://example.com/index.html” loads as “https://example.com/index.html~/” in Page Source Code.Source Code Disclosure.

I took the website page code seriously, and removed index.html, with just “index~” and I hit enter key.

And there i was able to get source code disclosure of the website and get to know about SQL queries working at the back…which was a complete “Sensitive Information Disclosure”.

It fetched me Appreciation for finding a new type of vulnerability at the platform.

Tips : Use the special symbols (~, !, @, #, $, % etc) only when there is acceptance of it in the source code of the page, else it will be a time waste.

— — — ======— H@ppY_H@ck1nG —======== — — —

--

--

--

ASE | Pen-tester | Cyber Security consultant | Coder

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

Software Engineer Within A Telecommunication Company

New World Game Architecture

Quick Recap —60 days of Data Science and Machine Learning

RudderStack + GitHub Sponsors: Making Open Source More Sustainable for Developers

Kotlin Data Store On A Different Activity

A (very) brief overview of Google Cloud Platform

HTML Table with fixed Thead and vertical scrollable Tbody — Logical implementation using CSS grid

An Optimized Icon System — SVG Sprites

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Fardeen Ahmed

Fardeen Ahmed

ASE | Pen-tester | Cyber Security consultant | Coder

More from Medium

From Simple Recon to Reflected XSS

Extreme Hacking Mindset

What is the OWASP Top 10? | rootissh

Protecting Yourself From Deceptive Bug Bounty Programs and Deceptive Scopes/Targets