How i Hacked BASF Company !!

Hi

its Murtada Kamil a security researcher from Iraq

I would like to share with you my bug that I found in BASF through their bug bounty program

During my recent bug bounty hunt, I came across a critical and yet simple vulnerability.

First i search for subdomains of the company using Virustotal

there is a subdomain which get my attention

i click on this site to see what is there

and b000m

so i can access to the admin panel without any authentication and i am able to edit, remove and upload anything

The comapny fixed this bug by secured it by Mobile OTP OR RSA Token

Time Line:

30/3/2018 Report Sent

02/04/2018 Triaged

17/5/2018 Listed in hall of fame

10/10/2019 Report disclosure

Thanks for reading

• Security
• Bug Bounty
• Infosec
• Infosecurity