Skip to main content

Posts

Showing posts from August, 2018

How I got access to Fastly account of dev.to

Hey Mates, Hope you all are Good, This is my first write-up about how i gain access to a company's(dev.to) fastly account.  One Day I got email that dev.to is going to open source on Github.
Previously I've found a critical account takeover bug in dev.to via stored XSS and get rewarded(Write-up later), Since I have account in dev.to that's why I receive this mail.
Now Let's get started. Now I was damn sure that there is something that the developer's missed while making dev.to project open source in Github, first i visited their Github project at https://github.com/thepracticaldev and start searching manually for secret key's, private key's and Api key's, When searching for Api key I encountered with cache_buster.rb which is leaking the fastly Api key like this.
with(headers: { "Fastly-Key" => "k15177t3dctdg27138b03c737688c84g" })
Dont't waste your time this is not an exact fastly api key let's move on.
Now it's time for fastl…