The story of out-of-scope to $2137 dollar bounty in bugcrowd private program πŸ‘Œ

-

Hello fellow hackers, hope everything is going fine. Today i will talk about "how i found critical idor which leak user critical PII"

This was my recent Finding on bugcrowd private program so i can't disclose program name but i will take redacted.com as example. without further ado lets jump to the discussion.


 Can you ever Imagine a single referer url can give you a critical bugs with P1 bounty? Sounds crazy huh! But this the truth. but how? Ok let me tell you a crazy story about thatπŸ˜‡

During Ead-Ul-Adha cerebration i got some private invite on bugcrowd, there was one fresh on-going program which have wild-card scope but i was little bit late, after one months later i decide to test this so i picked this and start basic recon for try to find low hanging fruits.but in the end nothing touch in my hand. Then i decide to test manually, i fire up my burp proxy and start capturing all request, i create account and analyze all request, But then i got some error while making so many request, and visit the error page & saw some url which linked with their main website but those are url i received all of this kinda looking wired, i decide to visit all url which I've got on error page. But whenever i visit those url nothing happened.Luckily my burp proxy was still capturing all request which i made, so every time I visit those url i saw, it immediately request another third party herokuapp to verify me, but they are using this heroku endpoint internally so it's a kind of secret. This means that even after thousands of attempts, you will not see any request coming or going from this Heroku app until you visit this url : https://redacted.com/web.income/cgi.min.json/bla.bla.blaπŸ˜…
After doing so much, I didn't get anything, then I was looking at the burp history tab to see if any new requests were made. But I couldn't find anything, so I searched for my id (100692**) and saw a lot of them, but after seeing a request, I was shocked to see that heroku endpoint: 

https://*c-se****nt-p**ona*.herokuapp.com/idType=user_id&id=001001xxx

It is better to say that this heroku endpoint is not using any authorization header, after seeing that, I started screaming idor! idor! idor !, I started testing without further action to see if anything was available. But whenever I go to brute-force, it always shows me 304 not modified results! WTFπŸ™

But I was able to bypass it after a little bit struggle,  How?


 This can be done in two ways.


First: Add some extra hex characters at the end of  Referer header. Because the server only gives priority to the unique referer header -

Referer: https://redacted.com/web.incoming.user/cgi.min.json/bla.bla.bla/7935b that means if it has already sent a request then the new request's For eunique Referer header will look like 


Referer:https://redacted.com/web.income/cgi.min.json/bla.bla.bla/7935bc, hope you understand, πŸ˜… i know its crazy way to bypass.
Second: Completely removes two headers. Here the server is using another header which is
If-None-Match: bla.bla.blaπŸ˜…,
showing 200 Ok response whenever I remove two headers (Referer, If-None-Match) together. And I also create POC using the second method. The video link is given below.

what type of information this herokuapp were leaked?
well, this herokuapp completely exposed every user
1-first-name
2-last-name
3-phone-number
4-email
5-user-hash
6-session-id
7-front-session-id
8-company-name
9-country-name
10-revenue-details
11-analytic-hash
12-company-user-role
13-user-agent
14-trial-start-date
15-user-name.etc




I mean without password everything were exposed.

Timeline:
14 August 2021: submit report to bugcrowd private program.
15 August 2021: bugcrowd triager reject my report also i lost 1 submission point for "Out-Of-Scope", and i contacted with their security engineer.
16 August 2021: I report this again on behalf of their security manager.
16 August 2021: they immediately triage my submission.
19 August 2021: Accepted as valid issue, also change state to unresolved.
20 August 2021: issue has been fix
26 August 2021: Got $1337 with + $800 dollars extra bonus, total $2137.πŸ€‘



POC video:https://youtu.be/qkqdKUc4Ga8
takeway is " Never ever give-up" if you think this could be lead to huge data breach, not report in there program, try to contact with them directly through their email. even it is out-of-scope πŸ€˜πŸ€˜πŸ€˜πŸ€—β€

That's all of it for today. Hope you learn something new.Also keep in your mind "Allah is great" allah can do anything for you.just pray and keep shining, peaceπŸ€—β€
And i will see you next time inshallah,☺☺

Nazmul Hossain Nirob aka(x1337Loser)
Security researcher at bugcrowd.
Don't forget to hit subscribe button on my YouTube channel.
 Do follow on Facebook and twitter.

Comments

Post a Comment

Popular posts from this blog

How I got my first bounty $800 for a reflected XSS

-
Image
There are times in a person's life that he isn’t ready for, just as a beginner's bug hunter is not ready for when his first bounty comes in the life of an ethical hacker. Let's start without exaggerating. Let me tell you something about myself, my name is Nirob, I'm just a noob entering this bug bounty world. I don't know why I have been addicted to hacking since I was 15-16 years old but I still don't know what hacking is. Then when I was 16 years old I heard from someone that his Facebook account had been hacked and this is the way to go ... I will Share this story another day. I will do it inshallah. My journey of Bug Bounty Hunting started from December 2020 , then I started the learning and on. February 26, 2021 I started my journey by choosing a target of Bugcrowd, Although I would deface the website through sql, shell upload from 2018 πŸ˜‚πŸ˜‚ just for fun and show offπŸ™„ But when I came to this bug bount y world. that there are many differences between...
Read more