How i was able to get Appreciation from the organization of a website just by changing a sign..!!!

Hi there, This write-up is for the beginners who are into the bug-bounties, and are searching for new-way of finding vulnerabilities. This was my approach, so let’s start.

The vulnerable website was, as an example :

This was normal to use index.html page. So i took the website, intercepted in Burpsuite and used the function of “Spidering” in Burpsuite.

I saw that there was a webpage loading as : (This letter/symbol is known as delimiter)

This was quite suspicious. Then, a sense came within me, of “Replacing extensions with symbol”. So, i replaced “hello.txt~” with “hello~.txt”

Nothing happened…!!!!!!

Now, went to change “hello.txt” to “hello~”

Nothing happened…!!!!!!

Thought that there is no vulnerability and it is quite decent now to “Not Report any vulnerability”

Then before closing the website, i went through technologies used in the website using “Wappalyzer” :-

While going through, i saw that “” loads as “” in Page Source Code.Source Code Disclosure.

I took the website page code seriously, and removed index.html, with just “index~” and I hit enter key.

And there i was able to get source code disclosure of the website and get to know about SQL queries working at the back…which was a complete “Sensitive Information Disclosure”.

It fetched me Appreciation for finding a new type of vulnerability at the platform.

Tips : Use the special symbols (~, !, @, #, $, % etc) only when there is acceptance of it in the source code of the page, else it will be a time waste.

— — — ======— H@ppY_H@ck1nG —======== — — —



Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Fardeen Ahmed

Fardeen Ahmed


ASE | DevSecOps | Pen-tester | Cyber Security consultant | Coder