Getting access to disabled/hidden features with the help of Burpsuite Match and Replace settings
A few months ago, During my bug bounty hunting, I came across a Company that lets other developers create API documentation similar to what swagger does and the company provides a 12 day free trial for the developers using their services. Apart from creating documentation they also allow it to be published on their domain.
As I told they restrict users from accessing project management features after a 12 days free trial period. Only users who pay are able to access the project they have created and even publish it publicly.
Now the issue came when I am able to access the project even after the 12 day trial period. The restriction they impose was by client-side rather than server-side. I came to know about this by examining how the web page contents get loaded each time when the web page was refreshed. When the web page was refreshed the page showed the project management at first in a millisecond and redirected to a home page.
Now that I know it is some client-side code doing the thing.I now need to check which API response does the client side code uses for displaying the data on the web page
I came across this API
Request
GET /api/v2/projects/{projectname}/listings HTTP/1.1
Host: [redacted .com]
XSRF-TOKEN: xxxxxxx
Response
{“dash”:false,”log”:false,”apikey”:false,”stage”:false,”appearance”:true,”documentation”:true}
So if you notice the response body some of them were set to false, while some were set to true.
Now burp to the rescue!!!. Burp has match and replace settings which is a nice little feature that lets you replace the request or response body headers automatically. This comes in handy in numerous attacks and has helped me over the past years in bug bounty. Especially when looking for blind XSS
Now that burp replaces all response body having the keyword “false” to “true”
i can access project management page and continue to use it for lifetime.
The vulnerability was fixed by the company and rewarded me with a bounty
You could generate your own match and replace script and exported it on the burp suite.Here is a python script to generate your own match and replace the script.
https://github.com/Leoid/MatchandReplace
Thanks @Hamid Mohammad for making it easy to generate custom scripts
