Getting access to disabled/hidden features with the help of Burpsuite Match and Replace settings

Johns Simon
Nov 27, 2019 · 2 min read

A few months ago, During my bug bounty hunting, I came across a Company that lets other developers create API documentation similar to what swagger does and the company provides a 12 day free trial for the developers using their services. Apart from creating documentation they also allow it to be published on their domain.

As I told they restrict users from accessing project management features after a 12 days free trial period. Only users who pay are able to access the project they have created and even publish it publicly.

Now the issue came when I am able to access the project even after the 12 day trial period. The restriction they impose was by client-side rather than server-side. I came to know about this by examining how the web page contents get loaded each time when the web page was refreshed. When the web page was refreshed the page showed the project management at first in a millisecond and redirected to a home page.

Now that I know it is some client-side code doing the thing.I now need to check which API response does the client side code uses for displaying the data on the web page

I came across this API

Request

GET /api/v2/projects/{projectname}/listings HTTP/1.1
Host: [redacted .com]

XSRF-TOKEN: xxxxxxx

Response

{“dash”:false,”log”:false,”apikey”:false,”stage”:false,”appearance”:true,”documentation”:true}

So if you notice the response body some of them were set to false, while some were set to true.

Now burp to the rescue!!!. Burp has match and replace settings which is a nice little feature that lets you replace the request or response body headers automatically. This comes in handy in numerous attacks and has helped me over the past years in bug bounty. Especially when looking for blind XSS

Now that burp replaces all response body having the keyword “false” to “true”
i can access project management page and continue to use it for lifetime.
The vulnerability was fixed by the company and rewarded me with a bounty

You could generate your own match and replace script and exported it on the burp suite.Here is a python script to generate your own match and replace the script.
https://github.com/Leoid/MatchandReplace

Thanks @Hamid Mohammad for making it easy to generate custom scripts

Written by

Security reasearcher

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade