Press enter or click to view image in full size
I was searching for a bug bounty programme using google dorks when I found a private vdp. It was a bit old but I thought why not give it a try
Press enter or click to view image in full size
Directory Bruteforcing
First thing, without even looking into anything (Considering the situation, I didn’t want to involve much of my time deep diving into it), I ran feroxbuster and found /admin.
It was decent looking and that’s exactly I should not test it.
Well, I bypassed the login thing and changing the password to access the portal XD.
It had a major flaw. The website was using 302 Found status code to redirect the users and changing the response to 200 OK bypassed it. I was able to change the Admin Password as well.
Here is a video demonstration of the same