This bug became one of my special one not only because it gave me handsome bounty but also because it was not easy to identify.
The application was having use case to add more members in admin account which can invite and assign roles to the people respectively.
I found there was some random numbers being generated on PATCH method which also had few roles ID assigned in json body.
I changed the last digit of ID from 141306 to 141316 and it gave me a lot of sensitive details of other member who have not even accepted…
This blog is not about any bounty tricks moreover it’s based on the CVE I received this year on a product.
In our daily scenarios we have been using Bluetooth technology for connecting headphones, mouse, smartwatch, etc …but have you ever thought of finding bugs on that device?
What if you can connect the device without pairing it with your phone and perform any particular action :D sounds interesting right 😉
So let’s start and see how I controlled the device via my terminal.
Okay!! While performing any BLE attack you need few tools such as:
· CSR dongle 4.0…
Cross-Origin Resource Sharing has never been easy to find especially when it comes to exploiting the vulnerability.
Here, I will give some tricks to find such vulnerabilities.
Finding CORS- Always look for some sensitive data in response like account id, address, phone number, email, etc which can show some impact on business towards the organization.
Identification- Whenever you see the origin or referer in any request parameter cross-check via (access control allow origin) if it is changing the domain name of what you want it to be reflected in the response.
Always make sure if the request is passing through…
Bug-type: Bypass trial version/ Business logic flaw
This is something more interesting to me :D
Application functionality: This application was based on monitoring the employee’s activity. Once you install the software on your system it keeps giving log to the admin account. So basically you can view everything whatever your employee is viewing during working time ;)
User Role: These guys were assigned two different roles to like- Admin needs to create an account for employees and installation of their product on the user's systems. …
Hey!!! how is your lockdown going on :D
Okay…this bug took me around 2 weeks to find out :P Why??? I will tell you :D
Now, whenever we hunt for bugs on a bug bounty program we firstly look for in-scope items right!!
Here I looked out for bug in out of scope domain and found a critical bug on in scope domain how??? Let’s check it out ;)
So…I saw the list of scope items in program and started crawling via burpsuite
I found a domain that use to manage user's services such as Customer information, address, tax status…
A Simple IDOR which should not be missed on dating App ;)
I am writing this article to give you tips on finding simple vulnerabilities.
So let’s check out how I found idor!!
It was very easy to identify endpoint for idor but how you can make it acceptable is important :D
This dating app was showing the user’s details based on some random number in this case, I just needed to identify if it’s showing other user's details or not.
Although many API endpoints were having such issues but most of them were showing publicly disclosed information.
A $5000 Account Takeover
This is my first write up on bug bounty and going to continue writing much more interesting one as soon as I will receive my rewards :p
This write up is based on my a few months back earned $5000 as many people were asking me about the technique….so let’s follow the steps
Bug Type- Account takeover via OTP
This bug I found on highest paying bug bounty program-oops!! Don’t ask me the name of program :D
I always keep looking for something interesting and which should cause a business impact.