While testing a hackerone private site Hired.com .
I saw there is an option to upload your resume
So checked that uploaded is restricted to .pdf , .docx
Then I tried to bypass the restriction but failed
So i marked one thing after uploading .docx file or .pdf its stored in cloudfont in original.pdf form
So soon i intercept the request and got this the resume is stored in this manner
candidate_profiles/<profile id>/resumes/1443578302/original.pdf
and the 1443578302 is a random number
so finally the url looks like this
https://dmdf3fr77elxm.cloudfront.net/candidate_profiles/391790/resumes/1443578302/original.pdf
So i started brute forcing the random number as well as the profile id and the i got many resume by increment +1 or decremented to -1
And successfully enumerated 3 to 4 resume in a short time period so i used them as proof of concept
And got a bounty
Timeline:
Bug reported : Sept 29 ,2015
Bug Triaged: Oct 5, 2015
Bug Fixed: Dec 21, 2015
Rewarded
I saw there is an option to upload your resume
So checked that uploaded is restricted to .pdf , .docx
Then I tried to bypass the restriction but failed
So i marked one thing after uploading .docx file or .pdf its stored in cloudfont in original.pdf form
So soon i intercept the request and got this the resume is stored in this manner
candidate_profiles/<profile id>/resumes/1443578302/original.pdf
and the 1443578302 is a random number
so finally the url looks like this
https://dmdf3fr77elxm.cloudfront.net/candidate_profiles/391790/resumes/1443578302/original.pdf
So i started brute forcing the random number as well as the profile id and the i got many resume by increment +1 or decremented to -1
And successfully enumerated 3 to 4 resume in a short time period so i used them as proof of concept
And got a bounty
Timeline:
Bug reported : Sept 29 ,2015
Bug Triaged: Oct 5, 2015
Bug Fixed: Dec 21, 2015
Rewarded