can you even imagine what most people do?
they do recon, burst out some payloads and think that’s bbh?
naahh man, ill show you how a simple recon got me $100
Press enter or click to view image in full size
Press enter or click to view image in full size
I used shodan for the recon. I put the target in the query and I got various results where one was updated on the same day when I was checking.
https://www.shodan.io/search?query=redacted.com
Press enter or click to view image in full size
I than went to https://sub.sub.redacted.com and found a page which had literally nothing in it.
then i thought of fuzzing the website, i used dirsearch with the common wordlist.
dirsearch -u https://sub.sub.redacted.com/
i got to see a 403 on /.env which says the file is available but not accessible and when i tried to visit https://sub.sub.redacted.com/.env i got a cloudflare error saying “Sorry, you have been blocked You are unable to access redacted.com”
One Question That Matters
If the WAF blocks me
what is it protecting?
A WAF only protects what it sits in front of.
If the origin server is exposed
the WAF means nothing.
So I went looking for the real server.
Shodan Changed Everything
WAF Bypass in One Step
Accessing the application through the origin IP completely bypassed the WAF.
No filters
No blocks
No warnings
Get Swarnim Bandekar’s stories in your inbox
Join Medium for free to get updates from this writer.
Requesting the .env file returned a clean 200 OK.
The production environment file was exposed.
What Was Leaked
The file contained critical production secrets.
Database credentials
Session signing keys
Internal API routes
This was more than a file leak.
It was a full security control bypass.
Why This Is Serious
An attacker could avoid every WAF rule.
No rate limiting
No injection filters
No detection
With valid credentials, backend systems were within reach.
This is how small misconfigs turn into big breaches.