How I abled to Disclosure all emails,full name,username, that lead to users/admins PII Disclosure. And invite any users/admins to any run without knowing his email address.
بسم الله الرحمن الرحيم
Aslam alikam, in this write-up I will show you easy bug that I found on my target was lead to earn $$$$ good bounty.
Who don’t know me, my name is Ahmad Yousef in community know as a7madn1, I make write-ups for security vulnerabilities that I found On Bug Bounty Program on my telegram channel t.me/a7madn1
Summary:
Let say the target is domain.com
I found Insecure Direct Object References (IDOR) on app.domain.com This happens when an attacker creates a scheduled_runs,And send request to burp suite in order to manipulate the scheduled_run[user_ids][]
parameter To victim-scheduled_run[user_ids][]
- What is Run: This function is for what you want manage on your workflow.
- What is scheduled: this function was inside Run, In order to automated your Run.
Example: you have Run and it have many things you must doing, via schedule function, you can make a time when you want the run be executed.
Note:
When you want invite any one to your Run, you must have his email.
But I bypassed this, and I was abled to invite any users to my Run without knowing his email.
(I was abled to create and control victims-profile schedule , I will make write-up for this later InShaAlla).
Step To Reproduce:
- Go to https://domain.com/scheduled_runs
- Click on Recurring Run ,You will be redirect to https://domain.com/scheduled_runs/new
- Open Burp suite tool.
- Add random (Time of day you want the run be executed).
- When click Save Intercept the request to Burp suite.
- The request will contain this parameters:
authenticity_token=&scheduled_run[run_at]=6Am&scheduled_run[user_ids[]=&scheduled_run[started_at]=&scheduled_run[active]=0&commit=Save
Replace scheduled_run[user_ids][] parameter To victim scheduled_run[user_ids][]
Conclusion:
In this bug I abled to get
- Users/Admins PII Disclosure.
- Invite any user to my Run, without knowing his email
Thanks for reading I hope you enjoyed.
Join my Telegram channel for bug bounty tips:
t.me/a7madn1
LinkedIn:
https://www.linkedin.com/in/ahmad-yussef-12b5a7262
Twitter(x):
Facebook:
https://www.facebook.com/a7madn11?mibextid=ZbWKwL
#bugbountytips #cybersecurity #bugs #Idor #hacking #hackerone