Hello Everyone! Hope You are doing Great!!!

This write-up is about my recently resolved bug as it belongs to Private program and with their permission i am writing this blog with redacted details.

I started working with recon on this domain, I would call “example.com” ,I generally use tools like assetfinder,subfinder,sublister to find the subdomains then sort their output in a single file for the unique result.

sort -u asset_example.txt sublister_example.txt subfinder_example.txt > rec_example.txt

I filter this output with the httpx to get the live subdomain as below

cat rec_example.txt | httpx > rec_httpx.txt

In this particular case rec_example.txt contained around six subdomains only so i decided to inspect each entry instead of relying on httpx.

One subdomain found was “gis.example.com”. Upon browsing it gave me status code 503 service unavailable. so as usual we skip to next subdomain but i did perform nuclei scan on this subdomain which reveled result

Rest endpoint at “gis.example.com/server/rest/services”

I immediately fired this endpoint and it was containing ARC GIS 11.1 server Rest endpoint.

As you can see it contains different endpoints like country ,utilities and more. I tried to access Country endpoint and it brought me to login endpoint and gave me 503 service unavailable as below.

But if we see directory there is service ExportCSV as seen below

Upon exploring this option brought me to the Task submitting UI so that does mean it allowed unauthenticated user.

Next i submitted the task and it generated output in zip file

As this is the Insurance company the output contained massive data of the farm profiles like location of the farms, crops ,third party auditing status ,soil health ,property name, tenancy and more data.

This bug was marked with the severity of 7.5 (High) and i was rewarded with Bounty accordingly.

Takeaway: After this finding i though if i relied on httpx output than i would have missed this bug as subdomain was giving 503 status. Always rely in multiple ways to recon.

Disclaimer: This research was part of the Bug bounty program. If someone does unauthorized activity on unauthorized asset inspiring by this than i am not responsible.