I was able to see all user information by manipulating parameters on the website.

Security Sphinx
3 min readAug 30

--

Intorduction

Hello, everyone! Today, I’d like to share my recent experience with a bug bounty program it is a story about a bug whereby manipulating parameters I was able to see all user-related information by changing some parameters in a request I was able to see there user name, id,id_org, name, address, and other some real important information.

What is manipulating parameters

Manipulating the data sent between the browser and the web application to an attacker’s advantage has long been a simple but effective way to make applications do things in a way the user often shouldn’t be able to.

Discovery and Reconnaissance:

For this blog let’s say the website name is anything.com and as all bug bounty hunters we all do basic tasks such as finding subdomains, brute forcing subdomains, and taking screenshots of every domain after finishing my recon which takes 3 days when I check all screens short to check if something is interesting there was the domain which catches my interest I was able to get direct access to admin dashboard

Analysis of website

but after I visited that URL I was sent to login panel after doing a lot of paying around I was not able to get access to the dashboard but there is the catch when I tried to access the dashboard by using https://anything.com it first redirected me to https://anything.com/dashboard and after just a few second it redirects me again to https://anything.com/login after paying around of for a long time. I got a trick to how to get access to the dashboard which took me almost 1-day The trick was that the first try URL https://anything.com intercepted that request and forwarded it in burp suite and when the next request came from https://anything.com/dashboard also forwarded it but when the third request come from https://anything.com/login do nothing go and see URL and I was able to access admin dashboard but unfortunately I was not able to make any request of a lot of things it always gives me an unauthenticated message but I was only able to get parameter of search and other important function which was I able to access it

Real bug

After using all those functions and searches I started to check in history to see if any interested requests were there for me to test There was a request that was every interest and that as https://www.anything.com/passthru/api/backend/end-users?page=1&search=` It caught my interest because of the end-user path and page parameter after that first thing I try to do as SQL injection on it but it failed at doing so I try to changepage=1 to page=1' but I got nothing and here is the interesting part: when I was checking another request I saw in a lot of requests a parameters had values of all After that, I also decided to change search= to search=all and send it I was able to see admin and all user-related information not only because of the all It happens because of using with page=1' and my URL looks like https://www.anything.com/passthru/api/backend/end-users?page=1'&search=all by using this URL I was able to see all sensitive information related to users and admin

Thank you for reading, and I look forward to sharing my knowledge with you all.

--

--

Security Sphinx

I am a beginner pen tester and bug bounty hunter. Passionate about cybersecurity and always learning to stay up-to-date. #HackerOne #Bugcrowd.