Open in app

Sign in

Write

Sign in

How Fuzzing Database Files Earned Me a Spot in the Hall of Fame

dkcyberz
3 min readAug 22, 2024

--

Hello Hunters,

In my previous blog, I shared how I earned a Hall of Fame (HOF) spot by fuzzing ZIP files. Today, I’m excited to share how the same fuzzing method helped me uncover another significant vulnerability — this time involving database files. If there’s one thing I’ve learned, it’s that fuzzing is a hacker’s best friend, and this story proves it yet again.

The Fuzzing Process

Fuzzing is an incredibly versatile technique, and in this case, I applied it to enumerate database files on a target website. Here’s how I did it.

Wordlist

To begin, I use my wordlist designed specifically for finding hidden database files.

Wordlist: https://github.com/dkcyberz/Harpy/blob/main/Hidden/database.txt

Fuzzing

I used the following command with the ffuf tool to start fuzzing the target website:

ffuf -u https://redacted.com/FUZZ -w database.txt

This command started the process of searching for any exposed database files on the website.

The Discovery

It didn’t take long,I found something interesting — a database file weighing in at 127 MB. I knew this could be significant, so I quickly reported it to Bugcrowd.

Since this was a Vulnerability Disclosure Program (VDP) site, I initially didn’t dig too deeply into the contents, as I didn’t want to do more than necessary to achieve a Hall of Fame recognition.

However, Bugcrowd’s triage team reached out, indicating they needed more information to fully understand the impact of this discovery. They even created a blocker.

The Analysis

I decided to dive deeper. After three hours of analysis, I found that the 127 MB file contained a sensitive information's:

  • Numerous email addresses
  • Hashed passwords
  • Names associated with specific designations

This information was clearly sensitive.

The Response

After submitting my detailed findings, after a day Bugcrowd Client team quickly responded, acknowledging the significance of the discovery. Here’s a snippet of their response:

This response was the confirmation I needed to know that my efforts were valued.

I earned my place in the Hall of Fame once again. . Fuzzing may seem like a simple technique, but when used correctly, it can lead to significant findings. Fuzzing is more than just a technique — it’s a gateway to discovering hidden vulnerabilities that could otherwise remain unnoticed. Whether it’s ZIP files, databases, or any other type of hidden file, fuzzing provides a way to uncover the most sensitive data that websites often leave exposed.

To all the hunters out there: keep fuzzing, keep digging.

Happy hunting! 🐞🔍

--

--

dkcyberz
dkcyberz

Written by dkcyberz

212 Followers
1 Following

Hi, I am dkcyberz, I provide a valuable cybersecurity content, bug bounty tips, training, and awareness, to the latest vulnerabilities and threats from A to Z.

No responses yet

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams