How I got thousand’s of users PII in 5min
I hope you all doing well🤟.
What is PII??
Personally Identifiable Information (PII) is a legal term pertaining to information security environments. While PII has several formal definitions, generally speaking, it is information that can be used by organizations on its own or with other information to identify, contact, or locate a single person, or to identify an individual in context.
Non-sensitive PII can be transmitted in unsecure form without causing harm to an individual. Sensitive PII must be transmitted and stored in secure form, for example, using encryption, because it could cause harm to an individual, if disclosed.
Organizations use the concept of PII to understand which data they store, process and manage that identifies people and may carry additional responsibility, security requirements, and in some cases legal or compliance requirements.
As I was scrolling down some govt websites to get some easy bugs, I found a mucipality website (redacted.com). The first thing I did is check my wappanalyzer extension to get some idea about the softwares and framework the website is using, and then I started usual burteforcing on directories, after 2–3 minutes I got some results but they were not that usefull.
So after that I started looking at the website functionalities, I saw a complaint box where u can submit complaint with your name,mobile_no and email_id. So, I filled that form and got a complaint id eg.12345678945.
There was another option to see the complaint status, so I entered my complaint id and I was able to see all the information including my name,mobile_no and email_id whattt😲??.
I fired my burp suite sent request to the intruder and by changing last 4 digits (as there was no rate limiting)I was able to retrieve 1000's of user PII🎉🎉.
I hope you guys learn something from it and if so give a nice clap.
Thank You!! keep hacking✌️…