This is a responsible disclosure write-up about a series of vulnerabilities that lead to information disclosure, database dump, and account takeover, among others in the systems of the popular car manufacturer AUDI.
Gathering as many subdomains of the target as possible is an important step to broaden your attack surface. The more surface one has to look for bugs, the more probable it is to find some.
The bug bounty community has focused a lot on reconnaissance over the last years with tools and services such as Projectdiscovery.io | Chaos, Security Trails. For this phase, I decided to not spend too much time and use tools and services that are already part of my automation, i.e.
After gathering the subdomains and filtering the ones responsive to the HTTP protocol, the next step was to fuzz all of the hosts for “quick wins” using a custom wordlist of known vulnerability identifiers, and leaks and exposures developers might have misconfigured. One host caught my eye when I discovered that an SVN repository was publicly available:
The host was a portal for the target company employees. It has a login page with additional functionalities such as password change and a “forgot password” functionality. One can also register for the portal but, since it’s a corporate portal, one has to “request” for an account by providing company data.
An SVN repository has no different purpose than a Git repository. Both SVN and Git are version control systems, with the difference that SVN is a centralized solution, unlike the distributed system Git. It can contain source code, sensitive information, or anything the developers have used for building the web application, without constraining any public access.
Extracting an SVN repository can be easily done with the help of tools such as svn-extractor. By downloading and exploring the repository I came to the conclusion that it contained the source code for the portal, both for authenticated and unauthenticated parts of the application. Before anything, I used grep to catch any sensitive words such as password, admin, apiKey etc. Here I had the first “win”, with some database credentials
Although I was in the advantageous position of having the source code of the application, I decided to first test my skills of approaching a target with zero knowledge of the source code.
The blackbox testing approach resulted in multiple issues: