Attacking on trial expiration
Bug-type: Bypass trial version/ Business logic flaw
This is something more interesting to me :D
Application functionality: This application was based on monitoring the employee’s activity. Once you install the software on your system it keeps giving log to the admin account. So basically you can view everything whatever your employee is viewing during working time ;)
User Role: These guys were assigned two different roles to like- Admin needs to create an account for employees and installation of their product on the user's systems. (In my case I create an account on web console and installed the software/companies product on my Windows virtual machine)
What is the flaw: These guys are so good to give users 15 days of free trial so you can technically say we are not allowed to use this service once it gets expired.
Since I know the web page is not allowing me to access any services… I started exploring API calls through the burp suite. While just viewing every menu in the application it was showing me the same page as above.
Hmmm… nothing interesting -_-
When I went back to the burp history tab I saw a lot of API access calls in response I was just looking at some endpoint which could give me details of accessing the logs.
