Article describes using Google dorking techniques as a reconnaissance method to discover hidden vulnerabilities and exposed information for bug bounty hunting.
Security researcher found unauthenticated Jenkins instances via Shodan, exploited the 'Manage Jenkins' configuration option to install a terminal plugin for RCE, and earned hall of fame bounties at two Fortune 500 companies.
A Salesforce API access token was exposed to users' browsers during file uploads on IKEA.com's customer support forms, allowing attackers to access unrestricted customer data via the Salesforce REST API. The token lacked proper permission scoping and revealed 465 object types accessible, including customer account names and phone numbers.
Researcher found three vulnerabilities at Yahoo's Brightroll service: two RCEs via JSON injection in a message queue system (bypassing command filters using Unicode escapes), and an SSRF vulnerability in image resizing that allowed arbitrary file reads via curl flag injection. The third vulnerability was nearly an RCE but limited to file disclosure without execution.
A P1 RCE vulnerability discovered in a misconfigured Jenkins instance via Shodan reconnaissance, exploiting open user registration and exposed script console execution capabilities.
A stored XSS vulnerability was discovered in Edmodo's user registration flow where first and last name fields accepted unfiltered HTML/JavaScript payloads. The payload executed when viewing a user's profile through a connection search feature, enabling potential account takeover.
Security researcher discovered a reflected XSS vulnerability in Microsoft's imagineacademy.microsoft.com subdomain using a simple SVG/onload payload in the search bar, which was acknowledged and fixed by Microsoft through their responsible disclosure program.
A reflected XSS vulnerability was discovered on Philips.com through enabled Adobe Experience Manager debug mode in production, allowing HTML injection via the debug=layout parameter. The attack bypassed ModSecurity and Akamai WAF by using a <body onpointerenter> tag combined with jQuery.getScript() to load external JavaScript, enabling phishing and credential theft from authenticated users.
Security researcher found a reflected XSS vulnerability in Edmodo's onboarding parameter (school_suggestion_test_variant) that allowed arbitrary JavaScript execution within script tags, discovered through basic subdomain enumeration and parameter testing in under 3 minutes.
A researcher discovered a URI-based XSS vulnerability in a redirect parameter (example.com/social?redirect=) using Google dorking to find hidden endpoints, exploiting javascript:// protocol handling to execute arbitrary JavaScript when users logged in after being redirected to a malicious URL.