CRITICAL BUG Alert: How I HACKED into a company’s DATABASE
First off, I want to say a big thank you for the incredible support on my first blog. I really appreciate it. If you haven’t had a chance to read it yet, you can find it here.
I have found a few more bugs but am not able to write blogs about them due to some complications. However, I will do my best to consistently deliver content from my perspective.
Getting Started
My key Takeaways from this Bug:
Don’t just blindly trust the GitHub repos. Take a closer look yourself.
A new method
Inspired by my last finding, I now use a one-liner command that lists all the JS files by providing a list of domains as an input:
cat domains.txt | waybackurls | grep '.js' | httpx -mc 200 >> js.txtI then use Nuclei to find secrets in them with the command:
nuclei -l js.txt -t /home/kali/.local/nuclei-templates/http/exposures -o potential_secrets.txt(Note: The path to the template might be different for you.)
I have also seen many hunters using Katana for enumerating the JS files, which is a good alternative too.
Putting the method into Action
First let’s talk about our target ,“redacted.com”. It is an online counseling site we’re looking at.
So, I tried the same method on our target, hoping to find something interesting. Unlike many other sites, this one didn’t let me down and I got this:
And when I opened the URL, I found these Firebase configuration details :
Excited, I immediately went to the KeyHacks GitHub Repo to get a hint about what I could do with the information I found.
Sadly it didn’t help much, as according to the methods described on the repo, the creds found were not vulnerable; which I was not convinced of.
Digging Deeper
Following my instincts, I again went down my favorite road: RESEARCH! I read some articles, blogs, and even some Twitter tweets.
Finally, I found something useful. These three resources combined gave me the breakthrough:
The Discovery
Following the steps in the first resource, I added “/.json” to the end of the Firebase database URL and got this:
It’s a massive database I guess!!
To find a solution to this issue, I read the Firebase documentation, and found out that I can use filters to get some portion of the database. After applying them via GET parameters, I tried to access the URL. It took some time to load though, but then I got this:
After digging deep at the data, I could hardly believe it. I had the entire chat history of each user of the counseling website!
It took me a bit to get over the shock. Then I remembered that the third resource mentioned above, explained how to check if we could write to the database. I checked it, and guess what!
I also had unauthorized permissions to write in it too.
(Ignore the data that I entered while testing😝)
Putting It All Together
Both of these findings were enough to prove this was a CRITICAL problem. So, I quickly wrote up a detailed report and submitted it.
The company confirmed the severity with this reply:
So, another JS secret found, another misconfiguration, another CRITICAL bug!!
I‘m aware there are existing tools that serve a similar purpose. But, my obsession for finding secrets in JS file is driving me to build a tool that aims to automate this process. Stay tuned!!
