Hi! I’m Aftab Raja, a cybersecurity enthusiast and bug bounty hunter. I specialize in web application security, subdomain enumeration, and advanced vulnerability chaining. In this article, I’ll walk you through one of my recent findings where I exploited a Cisco VPN endpoint to achieve both path traversal and stored XSS, starting from basic subdomain enumeration.
Like most of my bounty hunting journeys, it started with subdomain enumeration. I used tools like:
subfinder -d target.com -silent > subs.txt
assetfinder --subs-only target.com >> subs.txt
amass enum -passive -d target.com >> subs.txt
sort -u subs.txt > all_subs.txt
cat all_subs.txt | httpx -silent > live.txtcat live.txt | grep vpnAmong the results, one interesting subdomain caught my attention:
vpn.target.comThe response title suggested it was a Cisco VPN login portal.
After browsing the VPN subdomain, I noticed some unique Cisco-related URL patterns such as:
https://vpn.target.com/+CSCOE+/saml/sp/acs?tgname=aThis hinted at Cisco Secure Client (AnyConnect) using SAML for authentication.