Hello, Today I will share all my findings of Sony VDP HackerOne.
Information Disclosure Bugs
phpinfo():- Many websites were disclosing information about php configuration in "info.php, check.php, phpinfo.php, new.php, test.php". You can just run dirsearch/ffuf on all domains and check the result if there is any directory that is disclosing this php file.
Phone number Disclosure through password reset:- This domain "www.sonystyle.com.cn" was disclosing phone numbers in response of password reset request. I just need to enter victim email and it will fetch me phone number which is base64 encoded in "key" parameter value in response.
Rate limiting Bugs
1. OTP Bruteforce bypass:-
I found a bypass on password reset page where user needs to enter OTP to set new password. I saw "key" parameter value which was base64 encoded and I found timestamp in that bas64 encoded value. This timestamp was checked by backend to see if otpcode is expired or not. Then I tried to replace this timestamp with my timestamp which allowed me to bypass this feature and I was able to bruteforce.
2. Rate limiting security feature on login page bypassed using "%20"
This website was locking accounts when tried for bruteforcing, so I tried "%20" in email parameter whenever my account is locked and it worked. Whenever I am adding "%20" in my email, rate limiting security feature was thinking it as a different email and backend was decoding it.
On this domain(https://recommend-b.ebookstore.sony.jp/) I found Open redirect vulnerability twice using "@" and "%3F.". For more info about these bypasses, checkout this post
I found an IDOR vulnerability on one of the sony domain where an attacker can update the phone numbers of any user by replacing id and email of victim user in the request. This was the POC request:-
Stored XSS:- Found this XSS on https://ebookstore.sony.jp/ in search field. All the searches are saved in search history of this website and it was not sanitizing inputs which leads to Stored XSS.
File Upload leads to XSS:- This XSS was found in updating profile image where I was able to upload any file type and website was returning file location in response. So I uploaded an HTML file with XSS payload and shared the URL of the file in POC.
So that was all I found on Sony.