Hi, everyone

My name is Santosh Kumar Sha, I’m a security researcher from India(Assam). In this article, I will be describing How I was able Find mass leaked AWS s3 bucket from js File.

SPECIAL COVID-19 Note:

TOOLS used for the exploitation

1. Subfinder (https://github.com/projectdiscovery/subfinder)

2. httpx (https://github.com/projectdiscovery/httpx)

3. gau(Corben) — https://github.com/lc/gau

4. waybackurls(tomnomnom) — https://github.com/tomnomnom/waybackurls.

Story Behind the bug:


Hi, everyone

My name is Santosh Kumar Sha, I’m a security researcher from India(Assam). In this article, I will be describing how I was able to to find 9 full SSRF vulnerability with AWS metadata access BY doing some GITHUB recon.

SPECIAL COVID-19 Note:

TOOLS used for the exploitation

1. Subfinder (https://github.com/projectdiscovery/subfinder)

2. httpx (https://github.com/projectdiscovery/httpx)

3. gau(Corben) — https://github.com/lc/gau

4. waybackurls(tomnomnom) — https://github.com/tomnomnom/waybackurls.

Story Behind the bug:


Hi, everyone

My name is Santosh Kumar Sha, I’m a security researcher from India(Assam). In this article, I will be describing how I was able to leaked all user PII information by SSRF aws metadata exploitation.

SPECIAL COVID-19 Note:

TOOLS used for the exploitation

1. Subfinder (https://github.com/projectdiscovery/subfinder)

2. httpx (https://github.com/projectdiscovery/httpx)

3. gau(Corben) — https://github.com/lc/gau

4. waybackurls(tomnomnom) — https://github.com/tomnomnom/waybackurls.

Story Behind the bug:


Hi, everyone

My name is Santosh Kumar Sha, I’m a security researcher from India(Assam). In this article, I will be describing how I was able to Unauthorized access to Admin Dashboard by endpoint leaked by GitHub.

TOOLS used for the exploitation

1. Subfinder (https://github.com/projectdiscovery/subfinder)

2. httpx (https://github.com/projectdiscovery/httpx)

3. gau(Corben) — https://github.com/lc/gau

4. waybackurls(tomnomnom) — https://github.com/tomnomnom/waybackurls

5. Aquatone

Story Behind the bug:


Hi, everyone

My name is Santosh Kumar Sha, I’m a security researcher from India(Assam). In this article, I will be describing how I was able to deactivate the mass user account via single click by chaining an CSRF bug with XSS to bypass the CSRF protection on deactivate function.

TOOLS used for the exploitation

1. Subfinder (https://github.com/projectdiscovery/subfinder)

2. httpx (https://github.com/projectdiscovery/httpx)

3. gau(Corben) — https://github.com/lc/gau

4. waybackurls(tomnomnom) — https://github.com/tomnomnom/waybackurls

5. qsreplace(tomnomnom) — https://github.com/tomnomnom/qsreplace)

Story Behind the bug:


Hi, everyone

My name is Santosh Kumar Sha, I’m a security researcher from India(Assam). In this article, I will be describing how I was able to get AWS metadata accessed through SSRF by chaining it with a open direct vulnerability

TOOLS used for the exploitation

1. Subfinder (https://github.com/projectdiscovery/subfinder)

2. httpx (https://github.com/projectdiscovery/httpx)

3. gau(Corben) — https://github.com/lc/gau

4. waybackurls(tomnomnom) — https://github.com/tomnomnom/waybackurls

Story Behind the bug:


Hi, everyone

My name is Santosh Kumar Sha, I’m a security researcher from India(Assam). In this article, I will be describing how I was able to access the Admin setpassword page by just bypassing 403 Forbidden

TOOLS used for the exploitation

1. Subfinder (https://github.com/projectdiscovery/subfinder)

2. httpx (https://github.com/projectdiscovery/httpx)

Story of my first bounty:

This is the write of my Recent bug that i found . While I was doing recon for gathering all subdomain and resolving every domain I got an idea why not look for exposed admin and setpassword dashboard without any directory brute-forcing. …


Hi, everyone

My name is Santosh Kumar Sha, I’m a security researcher from India(Assam). In this article, I will be Discussing how I was able to get RCE by using Blind SSRF.

TOOLS used for the exploitation:

  1. gf (tomnomnom) — https://github.com/tomnomnom/gf
  2. qsreplace(tomnomnom) — https://github.com/tomnomnom/qsreplace)
  3. ffuf — https://github.com/ffuf/ffuf
  4. gau(Corben) — https://github.com/lc/gau
  5. waybackurls(tomnomnom) — https://github.com/tomnomnom/waybackurls

Background of the Vulnerability:

I always wonder why great bugbounty hunter always tell about chaining the bug. I was doing some recon on target using web achieve I found an blind ssrf on targets with parameter named as “next_image” .

NOW the actual Hunting start:

So, Suppose…


Hi, everyone

TIP For looking for android bug :

  1. gf (tomnomnom) — https://github.com/tomnomnom/gf
  2. grep
  3. wget
  4. gau(Corben) — https://github.com/lc/gau
  5. waybackurls(tomnomnom) — https://github.com/tomnomnom/waybackurls
  6. subjs(Corben) — https://github.com/lc/subjs

Step 1: Collecting all the js file from wayback machine

Suppose the target domain is example.com here all the subdomain and wild card are in scope.

Scope of the target: *.example.com

gau -subs example.com | grep “.js$” >> jsfile.txt

subfinder -d example.com…


Hi, everyone

My name is Santosh Kumar Sha, I’m a security researcher from India(Assam). In this article, I will be describing how I was able to Find the production and staging access token leaked by android application and takeover the whole infrastructure .

TIP For looking for android bug :

  1. gf (tomnomnom) — https://github.com/tomnomnom/gf
  2. grep
  3. apktool

Case# — — Finding hard coded Credential in android apk .

So I was looking for android bug in One of the public bugbounty program . …

Santosh Kumar Sha (@killmongar1996)

Like to hack and break security code and denfense |Security Researcher |pentester | Bugbounty hunter | Pentration tester | CTF player | BUGBOUNTY

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store