Blog 3: My First Bug and a new LinkedIn Friend

I am an avid LinkedIn reader. I find opportunities, enjoy supporting people and clapping on their successes, and knowing more about their journeys to connect better with my juniors, peers & seniors.

During one such scrolling in the later half of 2021, I found Piyush Singh’s post on his new project of a Quiz App using TypeScript. It was a beginner’s web-app for a quiz on our favourite superheroes and other fictional characters!

Live Link: https://quiz-1997.netlify.app/

Eager to find how I score with my limited knowledge of superheroes and animated characters, I went to the deployed live link of the project. (https://quiz-1997.netlify.app/).

While logging in as a guest, I discovered that it was implemented using default credentials. This set my curious mind into a pentesting mode.

Expected response: the default credentials are hidden and cannot be seen by the user. The login takes place.

Discovered response (bug and steps to replicate it):

  1. In case “Login as Guest” is chosen, there is a minor time where the credentials can be seen in the HTML code itself by “Inspecting element”.
  2. In case some erroneous login credentials are provided, the login page gets stuck after notifying the error to the user. In such a scenario, if the user presses “Login as guest” (technically, the instruction on button is replaced by a revolving circle of eternal waiting!), the default credentials appear in the text boxes, and give the user an ample time to check them using Inspect element.

Severity: Low impact (due to the nature of the Quiz app)

POC of the bug

I commented on his post about my findings and he was eager to connect with me. After we discussed it on LinkedIn messages, he thanked me for my careful interaction with his project and set himself up on the patching process.

So, this is how an inquisitive mind led to me finding a LinkedIn Friend!

“We work in the dark to serve the light, we are the Hackers!”

--

--

--

Seeking Red Team & Penetration testing roles; Looking for C++ & Python Projects; Working & Learning on TryHackMe rooms; CSE Undergrad @ IIIT-Bhubaneswar

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

Simple Android MVVM using RX and Kotlin

Microservice Pattern — API Gateway Pagination

How to Convert 3/8 as a Decimal

Linux man page Alternatives + Easy installation guide

Scale Your Software Implementation Process with These Nine Best Practices

Governance and Roadmap update

A Time Machine for Programmers.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Atrik Ray

Atrik Ray

Seeking Red Team & Penetration testing roles; Looking for C++ & Python Projects; Working & Learning on TryHackMe rooms; CSE Undergrad @ IIIT-Bhubaneswar

More from Medium

Resource for Human Resources: Part-2

My experience during the AF group project

First Group Project on Website Cloning.

The Fall Of ThinChromeLine