I am going to share one of my findings which allowed me to earn 100$ as a bounty. This was a private program so I won’t share acctual urls. I hope you will like this article.
This bug was related to an application which was taking some important documents and other personal information for further business requirements.
Application was using multiple headers for authorization purpose. But I was able to bypass this security and was able to get complete details of any end user’s personal data like (Phone number, address, device information etc). I found that the API end point https://example.com/personalDetail was vulnerable with this issue.
Impact of this vulnerability was any one can get complete detail of any end user of that web application.
Original request and response:
If I change the value of “ConsumerID” sever sends not authorised as a response.
It clearly shows that application is tracking Consumer ID with the values of Authorization and another custom heraders. So I removed these headers and send request to the server.
After removing headers it gave me response as “Invalid accessToken or Consumer data found” . Now I just appended / after the endpoint.
Origional : https://example.com/personalDetail
And below is the result. I was able to extract personal information of some other user.
I immeditely prepared a report and informed concerned team. Now this bug has been resolved and I have got a bounty of $100.
Thank you for reading.