One end point = Two bugs
Hello my fellow hunters!..hope you all are doing well, this is another write-up about the bugs i found recently with one endpoint.
To those who don’t know me i’m a 70% bug bounty hunter and 30% security researcher and my name is Shesha Sai C.
I would like to share some tips to those who are out there
If a person is new to something and asking for guidance or makes a mistake help him to identify it,Instead of asking him have you done pen test before, remember everyone should start somewhere and you also made mistakes and you started with the same.
DON’T JUDGE A BOOK BY ITS COVER.
Enough with the talk lets just dive into the bugs.
It is a private program so lets say it as redacted.com and let’s move on to the bug
Vulnerability 1: IDOR -one of my favourites
Summary: IDOR name itself suggests insecure direct object reference where we are going to abuse the user id to change content belongs to other users
as the scenario mentioned in the above image, i was able to change the user information of other users by changing the user id with post method and which leads to take over the user account, which does not have option like password protection on changing mail id
How to reproduce:
visit redacted.com create two accounts (you don’t wanna mess with other legit users)
visit the profile change information of USER A and catch the request in burpsuite and send this to repeater
Here if you notice my burp contains the request belongs to my account A and in the browser contains account with User B
now im going to change the username from seriously idor to my payload of <h1>You are </strong>…….
as this is my user A request with the user id as 44(User A) as shown in the image above , lets change the user id of my another account with 46(User B).
the above images contains a request with user id of the User B
let’s give it a Go and check the response of the burpsuite and refresh the browser which contains the User B account then you can see that User B account details are changed.
when i found this bug i was like
Later that devil inside me just woke up saying…..” There is more” when I heard it I was like
Vulnerability 2: PII (Personally identifiable information)
PII refers to the Personally identifiable information which contains the sensitive information that belongs to an user which should not be shared or disclosed to any other users .
let’s just break down and vulnerability
visit the application and login to your account then visit profile page and refresh the page and catch the request in the burpsuite and send this to repeater
if you observe the GET request it contains the user id with 44 this is the User A account , if you check the response you can see the content with mail, phnum, address etc
now let’s change the user id to 46 (User B) and send the request, the response contains the information belongs to the vicitm (User B).
it feels so good that i was like
Awarded Bounty $$$
if you feel this helpful
give me a clap and stay safe
if you have any questions reach out to me cyb3r_4ss4s1n