Account Takeover Methodology
Application Level DoS
Authentication Bypass
Broken-Link Hijacking
Broken Auth And Session Management
Finding CVEs
Web Page Source Code Review
EXIF Geo Data Not Stripped
File Upload Bypass
Find Origin IP
GraphQL
HTTP Desync Attack
Host-Header Attack
HTML-Injection
IDOR
JWT ATTACK
OAuth
SSTI
Sign Up Functionality
Tabnabbing
Weak Password Policy
EXIF Geo Data Not Stripped

Summary:

When a user uploads an image in example.com, the uploaded image’s EXIF Geolocation Data does not gets stripped. As a result, anyone can get sensitive information of example.com users like their Geolocation, their Device information like Device Name, Version, Software & Software version used etc.

Steps to reproduce:

  1. 2.
    There are lot of images having resolutions (i.e 1280 * 720 ) , and also whith different MB’s .
  2. 3.
    Go to Upload option on the website
  3. 4.
    Upload the image
  4. 5.
    see the path of uploaded image ( Either by right click on image then copy image address OR right click, inspect the image, the URL will come in the inspect , edit it as html )</br>
  5. 7.
    See wheather is that still showing exif data , if it is then Report it.

Reports (Hackerone)

Author