Bug Bounty Tips: API Documentation Bugs for Administrator Panel Takeovers

Bug Bounty Tips: API Documentation Bugs for Administrator Panel Takeovers

In this bug bounty journey, RootBakar has unearthed a significant vulnerability on an Indonesian website. Without further delay, let’s delve into the intricacies of the bug, its repercussions, and the serendipity that led to its discovery.

Bug Discovery:

During this exploration, RootBakar identified a vulnerability enabling a malicious user to acquire valid credentials disclosed through the API Documentation.

Typically, API Documentation imparts knowledge to users solely on how to send requests to specific endpoints. However, in this distinctive scenario, RootBakar discovered that the API Documentation included usernames and passwords. Using these credentials granted access to the website, ultimately resulting in the takeover of the website with the authority of an administrator.

Impact:

Administrator Panel Takeover

Proof of concept:

1. Navigate to the API Documentation link on the website.
2. Conduct a keyword search in the API Documentation, such as username or password.
3. Multiple usernames and passwords are discernible in the API Documentation.
4. Notably, the username [email protected] and password redacted are among them.
5. Log in to the website using these credentials.
6. Successfully log in and gain access as an administrator.

Notes:

1. The provided credentials carry the role of an administrator.
2. Always scrutinize usernames and passwords provided in API Documentation.

This comprehensive account encapsulates the essence of RootBakar’s findings. May this disclosure prove invaluable and serve as inspiration for fellow bug hunters. Constructive critiques and feedback from the bug hunting community are eagerly welcomed.

A tip from BugBounter for bug bounty hunters: would you like to be featured on social media with your bug bounty tip? – Sign up on BugBounter, and contact us with your bug bounty tip.