Skip to main content
HashnodeLohith Gowda's Blog

Command Palette

Search for a command to run...

Unlocking Dunzo's Internal Dashboard

Updated
1 min read
Unlocking Dunzo's Internal Dashboard
L
Lohith Gowda M
Staff Application Security Engineer

Hello Everyone!

This write-up is about Dunzo's Sensitive Information Disclosure Vulnerability.

The vulnerability could have allowed an attacker to access the internal monitoring dashboard of Dunzo.

Subdomain Enumeration:

I started with subdomain enumeration. For subdomain enumeration, I used crt.sh.

What is crt.sh:

It’s a web interface. that lets you search for certs that have been logged by CT.

In this case, I got only a few subdomains. So I manually checked each subdomain. If you found a large number of subdomains you can use the Httpx tool from project discovery.

One of those domains I can access the internal dashboard without authentication. Here I got the internal IP and production server logs .

POC of my findings

Report Timeline:

  • Mon, 11 Jan 2021  - Reported to Dunzo Security Team.

  • Mon, 11 Jan 2021 - Immediately got a response from the team

  • Tue, 12 Jan 2021 - Issue Fixed

  • Tue, 12 Jan 2021  - Re-tested and confirmed the fix

  • Tue, 12 Jan 2021  - Got an Appreciation from the Dunzo Team

#appsec#bugbounty#cybersecurity-1
153 views

Comments

Join the discussion

No comments yet. Be the first to comment.

More from this blog

L

Lohith Gowda's Blog

10 posts

🔍 Bug Bounty Adventures 🛡️ Tech Insights 🚀 Dive into cybersecurity and tech discoveries at Lohith Gowda's Blog!