I have just started looking at the public programs after doing a lot of self study.
I have found a subdomain which is protected as you get a 403 when you try to access it.
By altering the request, it seems to bypass this security as I’m able to access the site behind it.
However the site behind this request is a confluence page which asks for a login.
I’m not sure if this is enough to report as a bug?
Obviously the initial protection can be bypassed, which you could label as “Server security misconfiguration”. This might be because they only want this site to be accessible from within their networks or something.
And getting to the login form would allow me to start bruteforcing credentials, I haven’t checked if they have enabled captcha protection as I don’t want to interrupt their user’s work.
There doesn’t seem to be anonymous access to any content, and the version isn’t vulnerable to CVE-2019-3396.
So is this enough to report?
I don’t imagine it to be a high priority but still it would mark my first bug that I found if it’s accepted.
The only next steps I can think of to go further is to find out what makes the security check (if it’s a header that’s required, specific host value, cookie, …) however this will only help me circumvent the initial security but won’t increase the criticality of this in my opinion.
Looking forward to your feedback.