I was able to see all user information by manipulating parameters on the website.
Hello, everyone! Today, I’d like to share my recent experience with a bug bounty program it is a story about a bug whereby manipulating parameters I was able to see all user-related information by changing some parameters in a request I was able to see there user name, id,id_org, name, address, and other some real important information.
What is manipulating parameters
Manipulating the data sent between the browser and the web application to an attacker’s advantage has long been a simple but effective way to make applications do things in a way the user often shouldn’t be able to.
Discovery and Reconnaissance:
For this blog let’s say the website name is anything.com and as all bug bounty hunters we all do basic tasks such as finding subdomains, brute forcing subdomains, and taking screenshots of every domain after finishing my recon which takes 3 days when I check all screens short to check if something is interesting there was the domain which catches my interest I was able to get direct access to admin dashboard
Analysis of website
but after I visited that URL I was sent to login panel after doing a lot of paying around I was not able to get access to the dashboard but there is the catch when I tried to access the dashboard by using https://anything.com it first redirected me to https://anything.com/dashboard and after just a few second it redirects me again to https://anything.com/login after paying around of for a long time. I got a trick to how to get access to the dashboard which took me almost 1-day The trick was that the first try URL https://anything.com intercepted that request and forwarded it in burp suite and when the next request came from https://anything.com/dashboard also forwarded it but when the third request come from https://anything.com/login do nothing go and see URL and I was able to access admin dashboard but unfortunately I was not able to make any request of a lot of things it always gives me an unauthenticated message but I was only able to get parameter of search and other important function which was I able to access it
After using all those functions and searches I started to check in history to see if any interested requests were there for me to test There was a request that was every interest and that as https://www.anything.com/passthru/api/backend/end-users?page=1&search=` It caught my interest because of the end-user path and page parameter after that first thing I try to do as SQL injection on it but it failed at doing so I try to change
page=1' but I got nothing and here is the interesting part: when I was checking another request I saw in a lot of requests a parameters had values of
all After that, I also decided to change
search=all and send it I was able to see admin and all user-related information not only because of the
all It happens because of using with
page=1' and my URL looks like https://www.anything.com/passthru/api/backend/end-users?page=1'&search=all by using this URL I was able to see all sensitive information related to users and admin
Thank you for reading, and I look forward to sharing my knowledge with you all.