This post was sparked by an instagram user who reached out to me @purabparihar if you’re interested in following him.
He pointed out to me that 1. There was no rate-limiting on coupon codes you can try to use and 2. There was an exposed RSS feed (that I wasn’t using)
I thanked him for pointing this “issues” out, I disabled coupons (as I don’t use them anyway) and I disabled the RSS feed.
Now these may seem as vulnerabilities, and arguably an mis-configuration web server with a unused default RSS feed exposed as well as an allowing brute forcing of a coupon code may be in some very specific circumstances.
One of the biggest thing you have to ask yourself is how does this affect the business?
For example, how does having this RSS feed affect my organization today? Truthfully it doesn’t, but as @purabparihar pointed out, who knows what unknown vulnerabilities may lie within this implementation of RSS. Regardless, good Operations Security (OpSec) means to take very step you can to harden your organization, so I disabled the RSS since I wasn’t using it.
Now lets talk about the coupon code thing…
You could use this to find possible coupon codes that aren’t for the public (again I don’t use coupon codes).
Always make sure to check default settings for everything you use.
Thanks again to @purabparihar
A word of warning, don’t scan websites without permission.