It was on the 2nd of November 2020 when I heard about the newly created fan website of the late actor Sushant Singh Rajput from a tweet made by one of his fan on Twitter.
Being a fan of Sushant Singh Rajput, I was thrilled to check out the website myself. The website stores his memories, his achievements, timelines, and photos with his story.
I visited the website ssrspace.com and started scrolling through the website, it was beautifully designed well presented, all the information was collected, stored & presented in a great way.
It was then when I thought of checking the website for vulnerabilities, as the website was newly created, hackers and pentesters did not get much time to test the website for vulnerabilities.
I turned on my laptop, fired the chrome browser and visited the website ssrspace.com.
I went to the URL - https://www.ssrspace.com/admin/ and to my surprise, I found the admin panel, most websites keep their admin panel hidden to avoid security risks, but in this case, the admin panel was easily accessible by anyone on the internet.
I tried injecting SQL injection parameters in the username and password field and hit enter, there was no CAPTCHA and there was no input sanitization to prevent SQL injection, so the SQL injection attack was successful.
I successfully logged in to the admin panel, which means now I can edit the site, add text elements, pictures, modify the site in whatever way I wish.
But I didn't misuse the admin access to the website, I wrote an email to the real admin of the website and attached the POC (proof of concept) video along with the email.
The admin replied to my email and acknowledged me for reporting the bug, and she fixed it.
Later I found a couple of low-security risk bugs in the website and I informed the admin about it through email and it was fixed by her.
Soon after reporting the bug, the fan-made website was also featured on several media sites.
Thanks for reading. Have a nice day.