neelam
3 min readSep 16, 2020

--

Attacking on trial expiration

Bug-type: Bypass trial version/ Business logic flaw

This is something more interesting to me :D

Application functionality: This application was based on monitoring the employee’s activity. Once you install the software on your system it keeps giving log to the admin account. So basically you can view everything whatever your employee is viewing during working time ;)

User Role: These guys were assigned two different roles to like- Admin needs to create an account for employees and installation of their product on the user's systems. (In my case I create an account on web console and installed the software/companies product on my Windows virtual machine)

What is the flaw: These guys are so good to give users 15 days of free trial so you can technically say we are not allowed to use this service once it gets expired.

This is expired trial POC

Since I know the web page is not allowing me to access any services… I started exploring API calls through the burp suite. While just viewing every menu in the application it was showing me the same page as above.

Hmmm… nothing interesting -_-

When I went back to the burp history tab I saw a lot of API access calls in response I was just looking at some endpoint which could give me details of accessing the logs.

I started marking important to API calls or request

Sometimes developers don’t implement access control checks properly. Moreover, when I logged in to my new session after trial expiration new session token is generated which gives the same trial expiration page if I try to view any user menu from the UI, But if we directly make a request to the API in my case /api/…API path it returns the details in response which means we can still use their services. Now let’s see how I was still able to use the service…

Finally, I found an endpoint which was showing me app usage by employees and it was listing every activity which I used in my other VM machine :O

List of employee used applications

In the response section, you can see all the list of services which I used on my VM…

--

--