Escalating user privileges in a BBP

-
Hi folks,

This post is about one of my recent finding in a private bug bounty program. Since the program refused for public disclosure (i don't know why) i am not attaching any screenshots. But still i will try to explain the idea. Let's call the site as example.com, So example.com is a trading platform and they have a limited trial period after that you have to spend $$ to renew your account. And the most irritating part is once your trial account is expire example.com lands you to https://example.com/subscription/expired every time. 

So i created a new trial account and start checking common endpoints like profile page, account balance page, recent activities page etc.

After i tried to get those endpoints with my old expired account and every time i was landing to https://example.com/subscription/expired :(

Now the challenges was to somehow get and update information of my old expired account. Luckily they have a API which is used to fetch, update and trade orders for us. Now all you need is to get a valid API key. 

After digging a bit i noticed several JSON requests in browser's network tab which is used to display user's data, activity, trade orders etc. 

So quickly i navigated to my old expired account and request to open those JSON requests and it fetched my old account data, recent activities, trade balance etc. That was enough to report but they will consider it as low :p 

After digging more deeper i noticed that the request which is used to create a new API key for a user is also in JSON. Since JSON requests is working for old expired account, so the request which is used to create a new API key might also work.

And finally i tried to send same request using the old expire account and it successfully created a API key for me.

Now its time to read their API documentation and check all the available option,
So you can even add, update and delete a trade order. In short you can almost perform every operation as a subscribed account.

Example.com team fixed it quickly and the bounty was enough to get a pizza :p 

Comments

Post a Comment

Popular posts from this blog

How I bypassed 2-Factor Authentication in a bug bounty program

-
Image
Hello readers, This post is about one of my recent finding in a private bug bounty program on hackerone. For the sake of privacy, let’s call the site as bountyplease.com According to Bountyplease.com scope, they are more interested in Authentication related issues. So I decided to test their 2-Factor Authentication mechanism. As normal 2-Factor Authentication flow the process works in the following steps. 1. User login to account by providing valid email and password 2. A valid OTP send to users register number 3. User fill OTP 4. Login successful But in case if any user lose their phone or SIM card the process works in the following steps. 1. User login to account by providing valid email and password 2. User select other options 3. User provide backup codes 4. Login successful In both above described cases there is also a code flow as following. 1. User login to account by providing valid email and password 2. At this stage bountyplease.com display a pa
Read more

Story of a JSON XSS

-
Image
Hi folks, This post is about of one of my recent my finding in a bug bounty program. I started checking the application for common vulnerabilities but got nothing after spending an hour I came across an endpoint which looks as follows. If you look at request and response you will see the value of status parameter is reflecting back in the response. So I tried replacing the value of status parameter and same reflected back in the response as shown in below. What next? Let’s check for XSS with a simple payload as shown in below. But angle brackets getting filtered, after I tried some encodings but nothing worked. So I was about to give up but suddenly i decided to try array tricks. So you can see whatever we write inside the round brackets is reflecting back in response as it becomes associated array as follows Status    Equals JSON object <haha> Equals Key of JSON object T
Read more