Privacy Issues

Print out my secret

Hi, I faced a situation like this. When I went to a travel agency, They give me printed it out a lot of paper. I noticed that at the bottom of the pagination is the full url.

Something like that.

http://internal.company.com/path1/path2/test.jsp?id=123456

An internal domain name that is not visible on Google before. When I analyze URL, I think that there may be more than one vulnerability here.

Let's try to get access the Test.jsp file directly. There may also be an authentication vulnerability here. We can also find IDOR vulnerability if we assume that the output is from the information about you. Otherwise, a valid session can get capture in URL

Should this be fixed, or is it completely the end users’ problem? It's simple to fix it. I did a little research on the window.print function. It looks like we can remove this information from the footer with the following css code.

@media print {
  @page { margin: 0; }
  body { margin: 1.6cm; }
}

In this case, it is obvious that there are confidentiality problems with the default usage of window.print.

Deleted my account. Really!!!

I wanted to write something about the "delete my account" function in web applications. This feature is not used in most web applications as I do not know why.

What can we do if there is no such function? Let's say we have done file upload or database operation in the application and when I say "okay I am going" in the one day, what exactly will this be?

I first sent an e-mail to the company to completely delete my user from the system. If you are an enterprise user, they are quickly deleting your user.

What if it's not deleted? I think the following items can help.

Let's say the web application has a file upload area. We are putting a file in any format here, and the content of the data also has personal information. When our user was deleted, I try to get access this file with another user. If you have access to the file, this is a distressing situation.

For ex: example.com/user/evren/file/1234567890.pdf

If you are using an interactive application, you should not see a lot of data, such as private messaging between two users, comments in forums etc.

If it can be done, the third party permissions that we give to the applications must be deleted automatically.

that list items can be reproduced. The point I want to draw attention to here is that we can not delete ourselves from the internet. You can consider it for your own privacy and use it as a pentest / bugbounty trick.

EOF

Thanks to @A_Burak_Gokalp