I hope you all are doing well in this lockdown. I kinda have a hard time concentrating on bug bounty for now cause of staying home all the time. Usually i go play football once a week but since the lockdown cant go out no more. I still managed to find few bugs during this time. Found a few XSS and 2fa bypass. But for now ill share just the 2 bugs that i found.
So the first bug i found was SQLi which was quite an easy find. The company has a public VDP but since i reported many bugs to them they asked me to look at a completely different website that they own.
And of course i have taken permission from them before publishing the blog. With the help of wappalyzer found out that the website runs on PHP and so i used a simple google dork
site:redacted.com inurl:id= and just found 1 url.
' at the end of
id=1 and it gave me a MySQL error.
This itself tells us that there is SQL injection. I injected sleep command and it worked which confirmed the vulnerability.
This is enough for POC, reported it and the team fixed it pretty quickly.
Now the second bug was a business logic issue. The website is about creating projects or a presentation and sharing them with others. Users can create a free account but can only create 1 project. Creating multiple projects requires you to upgrade your account.
When clicked on New Project it would redirect me to the payment page. So i thought of bypassing it, tried using Turbo Intruder to send the request of creating project multiple times but it gave me errors so i thought of trying it on the app version from Playstore. When browsing the app i discovered that you can create multiple projects in it without any restrictions and i was like.
There was an add button in the app which let me create as much projects as i want.
And the changes reflected on the website as well.
And just like that i bypassed it. The app was really old and haven’t been updated for years.
Always look at the app of the website if it has. Sometimes developers forget about the app and functionalities are never updated. The team were also kind enough to give bounty instead of coupons.
Hope you learned something from this.