A Ridiculous Bypass

Both on the internet and out of it, many people who like security research follow a cake recipe.
They learn a super basic theory of protocols, webapp, firewall, xss, sql injection, etc.

After learning all, they try to put it into practice and the most of them end up frustrated, because unfortunately in real life systems have a level of protection much more personalized than they can imagine.

But if they really cared to know more about the technology involved in the application, they would be able to deduce in a simpler way the possible flaws that programmers and administrators make.

On one of those days, hunting bug for a bounty bug, I came across a page that caught my attention and I decided to explore it using something very basic: code review.

Reviewing the code is a fantastic way to catch bugs but stressful. The most of “researchers” do not know the depth and end up using scanners.

The scanners have a very high tendency to give false positives and false negatives (I still intend to write an article about it). Also, they do not perform a good code review and if you really want to be successful in security research, you will have to know the manual analysis very well.

Going back to the main topic, on this page I decided to analyze the DOM just in a section where it was necessary to accept the terms of the agreement to create an account.

There was a javascript code doing a validation and with a simple dynamic analysis, I could see that there was a “checked” that was enabled in the DOM.

By removing this cheked, the continue button was re-enabled without the need to accept the terms of the agreement and move forward in the application.

Below you can check the images. I made some changes because I have no authorization to expose the company.

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade