Bug Bounty Tips: API Documentation Bugs for Administrator Panel Takeovers
In this bug bounty journey, RootBakar has unearthed a significant vulnerability on an Indonesian website. Without further delay, let’s delve into the intricacies of the bug, its repercussions, and the serendipity that led to its discovery.
During this exploration, RootBakar identified a vulnerability enabling a malicious user to acquire valid credentials disclosed through the API Documentation.
Typically, API Documentation imparts knowledge to users solely on how to send requests to specific endpoints. However, in this distinctive scenario, RootBakar discovered that the API Documentation included usernames and passwords. Using these credentials granted access to the website, ultimately resulting in the takeover of the website with the authority of an administrator.
Administrator Panel Takeover
Proof of concept:
- Navigate to the API Documentation link on the website.
- Conduct a keyword search in the API Documentation, such as username or password.
- Multiple usernames and passwords are discernible in the API Documentation.
- Notably, the username [email protected] and password redacted are among them.
- Log in to the website using these credentials.
- Successfully log in and gain access as an administrator.
- The provided credentials carry the role of an administrator.
- Always scrutinize usernames and passwords provided in API Documentation.
This comprehensive account encapsulates the essence of RootBakar’s findings. May this disclosure prove invaluable and serve as inspiration for fellow bug hunters. Constructive critiques and feedback from the bug hunting community are eagerly welcomed.