Hi everyone, 8 months before I was invited to a private program on BugCrowd, where I reported 8 bugs and all of them were marked as duplicate. I was so depressed. I left that program and started hunting other programs on BugCrowd. After 8 months I got an email saying the following bugs have been resolved, I just ignored that email, at that time I was hunting a private program, suddenly I just thought let's give it a try and see if the bugs are really fixed. I fired up my burp suite and started digging.

About the web-application

The web application was built on react, there was role-based authentication, they were using Bearer Authentication, which means no chance for CSRF, CORS etc.

Param

I found nothing, I was going through my burp HTTP history, saw an endpoint where a lot of parameters were there, I thought let's try each parameter in every request and see what happens, I didn’t even know what I will end up with. I tried the parameters in every request in GET and POST. found nothing then I realize, let's save them in a file and make a wordlist of it and then try them on their API. there was an HTTP request like this.

GET /v2/ HTTP/1.1
Host: api.redacted.com
Connection: close
Content-Length: 159
Accept: application/json, text/plain, */*
authorization: Bearer {token}
x-redacted-client: web/7.80.0
x-connection-id: 94881378-e4dsb-4cf4-8569-fb5e434223b61
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.138 Safari/537.36
Content-Type: application/json;charset=UTF-8
Origin: https://api.redacted.com
Sec-Fetch-Site: same-site
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Accept-Encoding: gzip, deflate
Accept-Language: en-GB,en-US;q=0.9,en;q=0.8
§CHECK§ /v2/§one§?§two§=§three§ HTTP/1.1
Host: api.reacted.com
Connection: close
Accept: application/json, text/plain, */*
authorization: Bearer {token}
x-reacted-client: web/7.76.2
x-connection-id: 94881378-eassb-4cf4-5569-fb5as334223b61
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.129 Safari/537.36
Origin: https://app.reacted.com
Sec-Fetch-Site: same-site
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Accept-Encoding: gzip, deflate
Accept-Language: en-GB,en-US;q=0.9,en;q=0.8
Password Disclosure
1k$ bounty. but

Bounty Time

After the bounty, I thought let's try one parameter everywhere but, how about changing requests like changing GET to POST and POST to GET and just like that PUT to POST and GET, not just that let's play around with Content-Type and change the content type as application/JSON to application/x-www-form-urlencoded vice versa. The results were so surprising I got a lot of endpoints, all of them were disclosing sensitive information including passwords (plain text 😁). The parameters I used doesn't actually belong to the original request.

$10k ❤

fullStack | Dev Ops | Django | Flask | Vuejs | Security Researcher | Pentester | Bug Hunter | Tech Writer | Eat -> Code -> Sleep |

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store