Hi, I’m an 18yo security researcher and bug bounty hunter from Morocco. Here’s a story about how I almost took over an entire online casino’s player base out of boredom.
About a year ago, I found an online casino, (let’s call it hackedcasino.com). After gambling with fake money for an hour, I got bored and decided to hack it. Even though they didn’t have a bug bounty program, it made a great story.
Recon
I started by gathering subdomains of the website
subfinder -d hackedcasino.com -all | httpx -sc -td -location
I found 22 subdomains and used Aquatone to quickly screenshot them. Most were affiliates, investors, or admin panels requiring authentication nothing interesting. But lp.hackedcasino.com, returned a 404 page which caught my attention.
The site didn’t load any custom js so i decided to fuzz it for endpoints
ffuf -w custom.wlist -u https://lp.hackedcasino.com/FUZZ -ac -recursion -c
Account takeover
1 — Admin dashboard
There was exposed admin panel with no authentication on endpoint lp.hackedcasino.com/admin
The purpose of the dashboard is for admins to create an affiliate landing pages. When someone (like TestAffiliate) wants to join, they contact the admins, who then go to lp.hackedcasino.com/admin to create a landing page like www.hackedcasino.com/TestAffiliate.
With access to this dashboard, we can do administrative actions, such as editing, deleting, and duplicating.
2 — XSS
I tried creating a new landing page, then i discovered an input i that seemed vulnerable to XSS, i decided to test it
Visiting our newely created landing page, shows that our XSS ran successfuly, meaning we can run javascript on behalf of authenticated users visiting our landing page and extract they’re cookies
I tried editing the affiliate landing page i created and noticed each one had a numeric value, like affid=819, affid=820, affid=821. My first thought was to edit each landing page (1, 2, 3, 4… 821) to make it run custom JavaScript upon load to steal cookies. However, modifying all 821 landing pages could break some, so I stopped and decided to report it instead.
I got no response from the company, but fortunately, it looks like they’ve now implemented authentication.
I also got RCE using file upload combined with path traversal, and i could of manipulated/deleted all games on the website, but thats a story for another day.
Conclution
- Always Fuzz 404 pages
- Always dig deeper, if an admin dashboard is exposed, it means no other reasercher found it, so intresting bugs will be there
Thanks for reading