Write
OneWriteup
  • Login
  • Register
  • Trending
  • Articles
  • Blog
  • Tutorials
  • News
  • Research
  • Top 10 Lists
  • Case Studies
  • Writeup
  • Interviews
  • Personal Stories
  • Infographics
No Result
View All Result
  • Trending
  • Articles
  • Blog
  • Tutorials
  • News
  • Research
  • Top 10 Lists
  • Case Studies
  • Writeup
  • Interviews
  • Personal Stories
  • Infographics
No Result
View All Result
OneWriteup
No Result
View All Result

How to Strategically ElevatingP4 a Minor P4 Bug to P3 Priority.

Mukesh Bhatt by Mukesh Bhatt
August 26, 2024
Reading Time: 4 mins read
18
0
Share on FacebookShare on Twitter

Introduction:

Hello bug hunters!!! Have you ever found a bug in 20 mins? maybe of you might have achieved it, but generally finding a P4 level bug for a good rewarding platform isn’t easy, even if you find it you face a lot of Duplicates, and the patience required to find an extremely good vulnerability takes all blood, sweat and the most precious time. sometimes it annoys but today this article will not just tell you how to find a good shiny, very less known vulnerability by which you can even dodge duplicates, by exploiting that bug even more.

First things first! what’s a P4 bug?

As I’m writing this Article keeping the beginners in mind, so it’s important to explain with the basic to clear each and every problem which arises in their mind! usually we use these “P” series of denotations to explain the severity of the bug, in some bug bounty platforms we can even see just a simple table, going from low to critical.

 

where this P4 bug may vary from low to medium which depends on the impact of that bug for the particular scope, so where does this “P” series come in limelight? so, it’s bugcrowd platform, which is one of the major, globally recognized bug management programs, which allows Security researchers to find bugs for their customers (which are generally Large MNC’s or Organizations who want to check for the bugs in their systems). so, what’s the “P” series all about: –

  • P1 – Critical (Bounty varies from $1k-$5k, even more in some cases)
  • P2 – High (up to $800)
  • P3 – medium (up to $500)
  • P4 – low (up to $200)
  • P5 – Informational (mostly bounty is not paid for this)

note :- this is a general scale for bounty rewarded by programs, it may vary program to program.

To know more about Bugcrowd’s Vulnerability Rating Taxonomy (VRT), in easy word to know about what bug lies in which severity you may read this: – Bugcrowd’s Vulnerability Rating Taxonomy – Bugcrowd

The easiest bug: Metadata not stripped from images!!!P4

If you don’t know, or even if you know, sometime when you click photos from your phone, it saves some of the data, for example date, time, camera name, camera setting and many more device settings like camera and picture details, which isn’t really is a concern. But main role for this vulnerability comes from Location. your images sometime record the co-ordinates of your location which can easily tell where the photo is taken. sometimes it is so private that it can’t be shared to others. but is it all about the impact of this P4 bug? well no!!!

Impact of this bug(technically): –

As we’ve discussed about the impact of this P4 bug on one’s privacy, but it is not all about this bug. if any web application or software is not stripping this data an attacker can even perform XSS (cross site scripting) attack or even it can let any attacker perform RCE (Remote Code execution), well! you might be wondering how is this possible with this kind of easy P4 bug? but yes! don’t worry I’ll share some articles which will make you believe so.

How to find this bug: –

So, it’s really easy, here are the steps: –

  • go to any website/scope.
  • register or log in
  • go to profile
  • see for the profile picture option
  • exif-samples/jpg at master · ianare/exif-samples · GitHub – download any image from here containing location data.
  • go to jimpl or any tool like exiftool, test your image if it has geo location and other metadata.
  • Now upload this image into the profile picture.
  • after the image is uploaded, do right click and download it from there.
  • put the downloaded image into the jimpl, and check for same metadata (Location is compulsory).
  • Hurray!!! you have find the bug.

disclosed Hackerone report for reference of this bug: –

Reddit | Report #1069039 – GPS metadata preserved when converting HEIF to PNG | HackerOne

Note: – there are chances of this bug getting Duplicated, but don’t worry here’s how you can update this P4 into P3 or even more severe: –

How to upgrade the severity of this P4 bug by exploiting it: –

here are some articles you may prefer: –

For XSS: –

Leveraging ExifTool to Modify File Metadata and Inject XSS | by Vincent ie | MII Cyber Security Consulting Services | Medium

 

For RCE: – (Highly recommended)

Remote Code Execution via Exif Data- I’m Dangerous | by Jerry Shah (Jerry) | Medium

ADVERTISEMENT

 

Happy Hacking 😉

Thank you for reading till last😊, hope you got to learn something from this, for getting more article similar to this topic you can stay tuned. If you’re interested in knowing more about such topics you can read about AI Taking Jobs!!!

ADVERTISEMENT
Mukesh Bhatt

Mukesh Bhatt

Cybersecurity Enthusiast, delving deep into the field of cybersecurity. learning and sharing knowledge gained through deep research and curiosity.

Recently Posted

HOW To BECOME AN ETHICAL HACKER ROADMAP

Free Cybersecurity Roadmap for Ethical Hacking Career in 2025

November 15, 2024
706
Top 4 Cyber attacks Commonly used for Hacking Websites!

Top 4 Cyber attacks Commonly used for Hacking Websites!

November 9, 2024
164
How to use bloodhound tool for pentesting

How to use Bloodhound / Sharphound for Pentesting Active Directory?

November 6, 2024
465
Pass The Hash

How to perform Pass The Hash Attack on Active Directory in 2024?

November 2, 2024
147
Load More

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

ADVERTISEMENT

Recommended

How to Strategically ElevatingP4 a Minor P4 Bug to P3 Priority.

How to Strategically ElevatingP4 a Minor P4 Bug to P3 Priority.

August 26, 2024
137
top 24 open source security tools of 2024

Top 24 Open-Source Security Tools to Boost Your Cyber Defense in 2024

September 13, 2024
139

Popular Story

  • Termux-top-10-most-powerful-tools

    Termux Top 10 Most Powerful Tools in 2024

    277 shares
    Share 111 Tweet 69
  • Download the Top 100 Free Cybersecurity Courses, Resources, and Study Materials for 2024

    744 shares
    Share 298 Tweet 186
  • How to use Bloodhound / Sharphound for Pentesting Active Directory?

    84 shares
    Share 34 Tweet 21
  • Merklemap: The Best Subdomain Search Engine for Comprehensive Online Discovery

    40 shares
    Share 16 Tweet 10
  • How To Setup Cybersecurity HomeLab for Red Team and Blue Team?

    156 shares
    Share 62 Tweet 39
ADVERTISEMENT
OneWriteup

Discover expert cybersecurity articles, tutorials, and the latest trends to protect your digital world.

  • OneWriteup Labs
  • About Us
  • Feedback
  • Contact Us
  • Report
  • Privacy Policy
  • Community Guidelines
  • Terms Of Service

© 2024 OneWriteup

No Result
View All Result
  • Trending
  • Articles
  • News
  • Blog
  • Tutorials
  • Research
  • Top 10 Lists
  • Case Studies
  • Interviews
  • Login
  • Sign Up

© 2024 OneWriteup

Welcome Back!

Login to your account below

Forgotten Password? Sign Up

Create New Account!

Fill the forms below to register

All fields are required. Log In

Retrieve your password

Please enter your username or email address to reset your password.

Log In