السلام عليكم ورحمة الله وبركاته
Peace upon you everybody,
today we are going to discuss 2 logic bug that awards me 3 digit bounty in an eCommerce site designed for engineers to ease their life.
After finishing 15-day trial site asked you to subscribe for some of its offers, we have entry subscription and pro one, each one has its own features once you choose, the sever gives you back a link to the payment site. but we from entry subscription need all pro features, we are hackers yoo. the misconfigurations are that site doesn’t have server side checks .. so what if we in the middle manipulate the request sent to the server.
after going to subscription page click entry one send the request to intruder, doing the same with pro one. the request which is going to the server was JSON format and has key called features with some values for each subscription level, so what about getting all pro features and putting them in the entry one then the request, hence we got a all pro features.
1- go to subscription page choose entry level, intercept the request and send it to repeater
2- do the same with pro one
3- from JSON body request and with pro tab copy all features and paste it in entry tab
4- send the request and open the link of the subscription in the browser and bingoooo!!….
you can noticed in the begging i said 2 bugs, honestly the site consider it the same issue for both bugs so in summery problem was that the site allow you to add more users to your account, in the subscription each added user will pay 500$, and users key was send also with the JSON body so simply i deleted the key&value and request sent successfully.
and that’s it
thank you for reading! hope you enjoyed it…
you can find me on twitter @0xMohamed_Ayad
also, Linkedin @0xmh3yad