A seemingly harmless subdomain with directory listing enabled exposed employee images. Upon deeper inspection, this same endpoint revealed a trove of PII, unprotected admin access, stored XSS vulnerabilities, and—ultimately—remote code execution (RCE).

Deep Dive: The Exploitation Chain

1. Reconnaissance & Directory Listing

• Recon began with Subfinder, Amass, Assetfinder, followed by HTTP probing.

• One subdomain stood out: the page showed “Index of /”. Classic sign of directory listing enabled.

• Inside /uploads, the researcher found hundreds of employee images. At first glance harmless, but it suggested sensitive files might also be exposed.

2. PII Exposure via Team Hierarchy

• By manually trimming the URL (/uploads → /teamlevel), a new page appeared.

• This page wasn’t just public—it contained names, roles, email addresses, phone numbers, and hobbies of employees.

• What began as “images of staff” now became a full directory of private employee information.

3. Unauthenticated Dashboard Access

• Using fuzzing tools like ffuf, the researcher uncovered /hrms, a login portal.

• Shockingly, logging in required only an employee email address—no password validation.

• This flaw turned the PII exposure into a direct gateway into the company’s HR management system.

4. Stored XSS Injection

• Inside the dashboard, employees could edit personal details.

• A malicious payload (<img src=x onerror=prompt()>) inserted into an input field persisted in the system.

• Every time an admin or HR viewed that profile, the payload executed → a stored XSS that could hijack sessions or steal credentials.

5. File upload to Remote Code Execution 

• The dashboard also allowed uploading profile images.

• By uploading a PHP file disguised as a JPG, the researcher bypassed weak file validation.

• Since directory listing was active, finding and executing the uploaded script was trivial.

• Visiting the PHP shell in the browser gave remote code execution on the server, full control achieved.

Security Patch Fix:

• Disable Directory Listing → Turn off auto-indexing on the web server to prevent exposure of internal files.

• Protect Sensitive Endpoints → Enforce authentication and role-based access controls for all employee- and HR-related pages.

• Secure Input Handling → Apply strict server-side validation and output encoding to eliminate stored XSS.

• Harden File Uploads → Restrict allowed file types, validate MIME types, scan uploads, and store them outside the web root.

• Apply Least Privilege → Ensure uploaded files cannot be executed directly from public directories.

• Conduct Continuous Testing → Regular penetration tests and code reviews to catch chained vulnerabilities early.