One end point = Two bugs

Hello my fellow hunters!..hope you all are doing well, this is another write-up about the bugs i found recently with one endpoint.

To those who don’t know me i’m a 70% bug bounty hunter and 30% security researcher and my name is Shesha Sai C.

I would like to share some tips to those who are out there

If a person is new to something and asking for guidance or makes a mistake help him to identify it,Instead of asking him have you done pen test before, remember everyone should start somewhere and you also made mistakes and you started with the same.

DON’T JUDGE A BOOK BY ITS COVER.

Enough with the talk lets just dive into the bugs.

It is a private program so lets say it as redacted.com and let’s move on to the bug

Vulnerability 1: IDOR -one of my favourites

Summary: IDOR name itself suggests insecure direct object reference where we are going to abuse the user id to change content belongs to other users

Example for idor

as the scenario mentioned in the above image, i was able to change the user information of other users by changing the user id with post method and which leads to take over the user account, which does not have option like password protection on changing mail id

How to reproduce:

visit redacted.com create two accounts (you don’t wanna mess with other legit users)

visit the profile change information of USER A and catch the request in burpsuite and send this to repeater

Here if you notice my burp contains the request belongs to my account A and in the browser contains account with User B

now im going to change the username from seriously idor to my payload of <h1>You are </strong>…….

as this is my user A request with the user id as 44(User A) as shown in the image above , lets change the user id of my another account with 46(User B).

the above images contains a request with user id of the User B

let’s give it a Go and check the response of the burpsuite and refresh the browser which contains the User B account then you can see that User B account details are changed.

when i found this bug i was like

Later that devil inside me just woke up saying…..” There is more” when I heard it I was like

Vulnerability 2: PII (Personally identifiable information)

PII refers to the Personally identifiable information which contains the sensitive information that belongs to an user which should not be shared or disclosed to any other users .

let’s just break down and vulnerability

visit the application and login to your account then visit profile page and refresh the page and catch the request in the burpsuite and send this to repeater

if you observe the GET request it contains the user id with 44 this is the User A account , if you check the response you can see the content with mail, phnum, address etc

now let’s change the user id to 46 (User B) and send the request, the response contains the information belongs to the vicitm (User B).

it feels so good that i was like

Awarded Bounty $$$

if you feel this helpful

give me a clap and stay safe

if you have any questions reach out to me cyb3r_4ss4s1n

Ignore me, i will make you regret