Finding my first bug in a Website

Why this Post:

This post intends to answer the evergreen question of whether bug hunting is not for everyone, and presumption that it is only limited to the people who know all about security. Well, to answer this, I would like to share my take on my first bug find.

Background:

Starting my career as a security analyst, I have been working a lot on analyzing complex systems and finding possible vulnerabilities or weaknesses during the product building phase. Technically it was in the Blue team (an analogy used in security), and I was always curious to learn and explore pen — test. During the start of the COVID-19 shutdown in India. I was going through different types of vulnerabilities on YouTube; keep myself updated.

I found HTTP parameter pollution and Open redirect vulnerability exciting, and I understood them to an appreciable extent.

“Still, I would say I lacked expertise and experience in pen-testing, being naive, I just understood the basic idea of the vulnerability with the help of online content.”

The Vulnerability:

Just the next day I was surfing online and was looking through my good old anime site Kissanime.ru
I knew the site had Cloud-fare in the front for securing it against DDoS and also for CDN.
I was opening an episode of an anime series, and immediately the site address grabbed my attention, It was an encoded open redirect.

https://kissanime.ru/Special/AreYouHuman2?reUrl=%2fAnime%2fHaikyuu-To-the-Top%2fEpisode-010%3fid%3d167554%26s%3ddefault

The site checks if the user is human or a bot before letting the user access any video content. This is a typical page that everyone on the site has to encounter, no matter which anime a user wants to see.

If one carefully observes the URL the reUrl=%2fAnime%2fHaikyuu-To-the-Top%2fEpisode-010%3fid%3d167554%26s%3ddefault is the encoded redirect part.

The first thing that stuck in my mind would the redirect be limited to the web domain or not. I encoded the google search page and wrote a new URL with the redirect to google search home page.

https://kissanime.ru/Special/AreYouHuman2?reUrl=http%3a%2fwww%2egoogle%2ecom%2f

Guess what? It worked!

After passing the human test, the website redirected to http:/www.google.com/

“I just found a bug worth reporting,” I said to myself and went ahead, playing a little more on XSS and SQLi tests as well. But, nothing worked.

Anyhow, I went around thinking maybe I could report my first bug. But, I found that the bug has been reported previously in 2018 Nov. I was excited a little at the start, but in the end, I learned the reality, yet it’s not disappointing but encouraging that I could do a lot after learning little more.

The sad part is that the website didn’t patch the bug even after 1.5 years.

Take away:

  1. Bug hunting is not hard. If one understands the underlying concepts and vulnerability, he could easily find one.

2. There are cases where bugs reported might not be patched.

3. You never know who could find the bug, I merely started to test websites, and I found one in my very first try. It’s not always easy to find a bug, but not too tricky as well.

4. Moreover, it is not limited to people who are erudite in bug hunting.

I would suggest to try out bug hunting irrespective of your background; anyone can bring anything to the table.

Background: Graduate from IIT long back | Hobbies: Exploring tech, blogging, enjoying science and art | Free time activities: Watching F1, Cricket and Anime