Insecure Data Storage
Summary :
Insecure data is not only limited to passwords, usernames, emails, api-keys etc. I have found an unique technique to check for some Insecure Data Storage which is related to comments, posts, profile photos etc. Now many a times it happens that you have an account on some website where you have an option to comment, posts something, add your profile photo, upload some files etc. Now when you do this things it will generate a link to particular thing for eg. if you upload your profile photo then it will be stored on server like this http://www.example.com/<id>/photo.png, have you ever tried to delete your account and visit this link ?
If the website is vulnerable to Insecure Data Storage you’ll still be able to visit your photo, same way you can also check for your comments, posts, some files you have uploaded etc.
How to find this vulnerability ?
- Go to your target website and upload a profile photo
2. Right click on the photo and click on view image
3. Now a link will open where your photo is uploaded like : https://www.example.com/<id>/photo.jpg
4. Copy the link and save it in notepad
5. Now delete your account and then visit the link
6. If your still able to see the photo means it is vulnerable to Insecure Data Storage
NOTE : Many companies have the policy of removing data after 3 days, one week or a month in that case you can check after these time period. Another thing is that this policy is mainly for profile photos and not other things (In many cases), so you can check for other things too.
Thank You :)
Instagram : jerry._.3
