Microsoft bug bounty writeup

Hello folks! I’m back again with my another writeup. This writeup is about Microsoft Hall of fame that I am able to find Information Disclosure in domain of Microsoft. And I will also share my template which was released yesterday. So, without any delay let’ begin.

I performed initial recon on the Microsoft domains and gathered some sub domains. I started hunting on them. I found Cache Poisoning, Broken Auth., Jira (CVE-2020–14181), Anonymous FTP but all bugs are Not Applicable.

I moved on Xbox’s program. Then I started recon from basic. I use Google Dork. Dork: site:target.com intitle:index.of

Then I found 2 results. The first one was blank directory. And second directory was Plesk-stat. I don’t aware about this. Then I opened all directories one by one. There were visitors IP addresses, User agents, Referer websites and many more thing. Then suddenly footer caught my attention. (Generated by awstats.org) I did some research about awstat and plesk-stat.

Pleas-Stat: Plesk-stat is Log analyzer which generates advance web, streaming, ftp or mail server statistics, graphically. It can analyze log files from all major server tools like Apache log files (NCSA combined/XLF/ELF log format or common/CLF log format), WebStar, IIS (W3C log format) and a lot of other web, proxy, wap, streaming servers, mail servers and some ftp servers. [There are two reference 1) awstats and 2) webalizer.]

Then I took screenshots and make a good report and send it to Microsoft Portal. After 4 months later I got Hall of fame.

“If you are gaining something from infosec community, then it’s your duty to contribute/share your findings with community.” -th3.d1p4k

So, I thought this is unique for me and new comers. So, I decided to share with our infosec community. And I made nuclei template. Yes, it’s already released yesterday. Just update your templates.

This screenshot is educational purpose only don’t misuse it

Thank you for reading!

Instagram: th3.d1p4k

Twitter: Dipak Panchal

--

--

--

Bug hunter | CCSE

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

BNF-KTLYO Dual Yield Beta Launch

Common Vulnerabilities and Exposure Analysis w/ Python

Linkages Between Internet Standards and Internet Governance

TNB Bi-weekly Report(From July 18th to July 31st)

Bug Bounty: How to get private invites

Stake THETA to GPooL’s Guardian Node using THETA Web Wallet.

KEBAB — BNB LP is now part of PrivacySwap’s newest Vault features that assure boosted revenue

Unlocator Smart DNS + VPN ⋆ 06 Months Warranty

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
th3.d1p4k

th3.d1p4k

Bug hunter | CCSE

More from Medium

First Bug Bounty Program found CORS (Cross Origin Resource Sharing ) Misconfiguration

H1-CTF Hacky Holidays Writeup

Playing With Password Reset Function

Registrations Open for IWCON 2022 — the Online Infosec Conference & Networking Event