Skip to main content
  1. Security/

Exposed S3 Credentials of QuadX

·2 mins· loading · loading ·
quadx vdp hardcoded credentials
Christian Angel
Christian Angel
I found a exposed sensitive credential in the website and was able to access the Amazon S3 Bucket of Paylink, One of the digital platforms of QuadX. This allowed me to retrieve, upload and remove all files in the S3 Bucket.

Static Analysis

Static analysis, also called static code analysis, is a method of computer program debugging that is done by examining the code without executing the program.

In this post we will look for sensitive information stored in the website like passwords, API keys etc.

Find Javascript Files

There are multiple ways to gather Javascript files in the target website, In this post i will share it to you.

Download the Javascript File

Beautify the file

npm install js-beautify

You can Use any Javascript beautifier, Once you install js-beautify run the following command to Beautify the Javascript File.

js-beautify paylink.js > paylink-clean.js

Now, Open your Favorite Text Editor and Start Finding the needle in the haystack.

Check the credentials using aws-cli

pip install awscli

Using the credentials gathered via awscli

Few Minutes after Submitting, QuadX Immediately Addressed the Issue and the Vulnerability was Fixed Few Hours Later, Giving the Points i needed to Top the Leaderboards at Secuna.

Kudos to QUADX for being transparent about the remediation timeline, I love the fast Response ❤️ ❤️ and to Secuna thank you so much for building this Awesome Cyber Security Testing Platform.

Did you Learn Something? Share this! #sharingiscaring