Escalating user privileges in a BBP

Hi folks,

This post is about one of my recent finding in a private bug bounty program. Since the program refused for public disclosure (i don't know why) i am not attaching any screenshots. But still i will try to explain the idea. Let's call the site as example.com, So example.com is a trading platform and they have a limited trial period after that you have to spend $$ to renew your account. And the most irritating part is once your trial account is expire example.com lands you to https://example.com/subscription/expired every time. 

So i created a new trial account and start checking common endpoints like profile page, account balance page, recent activities page etc.

After i tried to get those endpoints with my old expired account and every time i was landing to https://example.com/subscription/expired :(

Now the challenges was to somehow get and update information of my old expired account. Luckily they have a API which is used to fetch, update and trade orders for us. Now all you need is to get a valid API key. 

After digging a bit i noticed several JSON requests in browser's network tab which is used to display user's data, activity, trade orders etc. 

So quickly i navigated to my old expired account and request to open those JSON requests and it fetched my old account data, recent activities, trade balance etc. That was enough to report but they will consider it as low :p 

After digging more deeper i noticed that the request which is used to create a new API key for a user is also in JSON. Since JSON requests is working for old expired account, so the request which is used to create a new API key might also work.

And finally i tried to send same request using the old expire account and it successfully created a API key for me.

Now its time to read their API documentation and check all the available option,
So you can even add, update and delete a trade order. In short you can almost perform every operation as a subscribed account.

Example.com team fixed it quickly and the bounty was enough to get a pizza :p 

Comments

Popular posts from this blog

How I bypassed 2-Factor Authentication in a bug bounty program

Exploiting Misconfigured CORS