Bir-baslik-ekleyin-17

Bug Bounty Tips: API Documentation Bugs for Administrator Panel Takeovers

by Bug Bounty Tips and Blog Posts

Bug Bounty Tips: API Documentation Bugs for Administrator Panel Takeovers

In this bug bounty journey, RootBakar has unearthed a significant vulnerability on an Indonesian website. Without further delay, let’s delve into the intricacies of the bug, its repercussions, and the serendipity that led to its discovery.

Bug Discovery:

During this exploration, RootBakar identified a vulnerability enabling a malicious user to acquire valid credentials disclosed through the API Documentation.

Typically, API Documentation imparts knowledge to users solely on how to send requests to specific endpoints. However, in this distinctive scenario, RootBakar discovered that the API Documentation included usernames and passwords. Using these credentials granted access to the website, ultimately resulting in the takeover of the website with the authority of an administrator.

Impact:

Administrator Panel Takeover

Proof of concept:

  1. Navigate to the API Documentation link on the website.
  2. Conduct a keyword search in the API Documentation, such as username or password.
  3. Multiple usernames and passwords are discernible in the API Documentation.
  4. Notably, the username [email protected] and password redacted are among them.
  5. Log in to the website using these credentials.
  6. Successfully log in and gain access as an administrator.

Notes:

  1. The provided credentials carry the role of an administrator.
  2. Always scrutinize usernames and passwords provided in API Documentation.

This comprehensive account encapsulates the essence of RootBakar’s findings. May this disclosure prove invaluable and serve as inspiration for fellow bug hunters. Constructive critiques and feedback from the bug hunting community are eagerly welcomed.

A tip from BugBounter for bug bounty hunters: would you like to be featured on social media with your bug bounty tip? – Sign up on BugBounter, and contact us with your bug bounty tip.

Bir başlık ekleyin (10)

Bug Bounty Tip: Utilizing JSON and Lists for ATO Testing

by Bug Bounty Tips and Blog Posts

Bug Bounty Tip: Utilizing JSON and Lists for ATO Testing

The bug bounty tip of this week comes from Mohamed Reda.

When testing a login functionality during a bug bounty program, utilizing JSON and lists can help uncover potential Account Takeover (ATO) vulnerabilities. This technique involves manipulating the request payload to test the system’s response to list-type inputs.

Procedure

1. Modify Request Body

Change the request body to JSON format and structure it to accept lists for the email and password fields.

From:
{
    "email": "email",
    "password": "password"
}

To:
{
    "email": [
        "email1",
        "email2"
    ],
    "password": [
        "password1",
        "password2"
    ]
}

2. Test for ATO Vulnerabilities

a. Single Password Test

  • Utilize a list of emails and try a single password across all emails. Verify if any email-password combination allows successful login.

b. Brute Force Test

  • Use a list of emails and a list of passwords.
  • Employ an Intruder tool to systematically perform a brute force attack.
  • Check for successful logins using different email and password combinations.

Please Note

Always conduct security testing within the scope of the bug bounty program and with explicit authorization. Respect ethical guidelines and adhere to responsible disclosure practices when identifying and reporting vulnerabilities.

This approach helps uncover potential vulnerabilities in the login process, ensuring a thorough security assessment and contributing to a more secure system.

Get Popular with BugBounter!

Get featured on BugBounter with your bug bounty tip. Sign up on BugBounter as a cybersecurity researcher today, and contact our Community Manager Salih with your username on BugBounter via their email, [email protected].

Bir başlık ekleyin (9)

Bug Bounty Tip: Role-Based Authorization and Unauthorized Access Testing

by Bug Bounty Tips and Blog Posts

Bug Bounty Tip: Role-Based Authorization and Unauthorized Access Testing

Bug bounty tip of this week comes from Omer Goktas, one of the top cybersecurity researchers on BugBounter. Dive into his tip about role-based authorization and unauthorized access testing.

In web and API testing, if there are roles with different levels of authorization, log in with an account that has a high level of authorization.

1. Log in using your account with lower authorization in an incognito tab.

2. Take note of what actions you can perform with your account that has high authorization. For this, you can send all requests to the Burp Repeater tab.

3. Then, try sending these requests with your unauthorized account.

4. If you’re lucky, you’ll be able to successfully send the request.

💡 BONUS

If the session is determined only by the JWT token, testing unauthorized accesses can be done by sending requests with the JWT token of the unauthorized account.

💡 BONUS 2

Copy the URL addresses and, in the incognito tab where your unauthorized user account is open, go to these URL addresses to access places the unauthorized user should not have access to.

Thanks to Omer for this week’s tip. If you’d also like to be featured on BugBounter with your bug bounty tip, reach out to the BugBounter Community Manager with your username and bug bounty tip.

Bug Bounty Tip: Leveraging Content Security Policy (CSP)

by Bug Bounty Tips and Blog Posts

Bug Bounty Tip: Leveraging Content Security Policy (CSP)

The bug bounty tip of the week comes from Abdelrahman Ali from Egypt. Abdelrahman’s bug bouty tip includes leveraging Content Security Tip (CSP) for maximum impact in bug bounty hunting.

1. Master CSP Basics

Understand that CSP is your ally, designed to thwart attacks. It restricts the execution of scripts, styles, and other resources, making it pivotal in your bug bounty arsenal.

2. Detect Misconfigurations

Search for CSP misconfigurations, which can lead to substantial rewards. Misconfigured policies can allow malicious scripts to run unchecked.

3. Analyze CSP Headers

Probe websites for CSP headers. Look for the “Content-Security-Policy” HTTP response header to unveil potential security gaps.

4. Policy Directives Unveiled

Familiarize yourself with CSP directives; they determine resource origins. Common directives include ‘script-src,’ ‘style-src,’ ‘img-src,’ and more.

5. Script Origins

CSP gives you the power to control script sources. Use ‘script-src’ to allow scripts only from trusted origins like ‘self’ or specific domains.

6. Nonce Usage

CSP provides ‘nonce’ as a safeguard. Include a random nonce in your CSP directive and the script tag; only matching nonces will execute scripts.

Example

html
<script src="https://example.com/script.js" nonce="random-value"></script>
CSP: script-src 'nonce-random-value';

7. Hash Checks

CSP lets you specify trusted script content by hashing. If the script’s hash doesn’t match, it won’t run. Update the hash when script content changes.

Example

html
CSP: script-src 'sha256-hash-value';

8. CSRF Token Protection

Understand how CSP’s ‘img-src’ directive can impact CSRF token security. Inadequate control can lead to token disclosure and potential attacks.

9. Mitigate CSRF Risks

As a bug bounty hunter, help websites protect against CSRF token theft by advising them to restrict ‘img-src’ to trusted sources.

10. Stay Current About CSP

Continuously monitor CSP developments. It’s a dynamic field, and evolving CSP techniques can unlock new bug bounty opportunities.

Thank You for Reading This Week’s Bug Bounty Tip

For more information, please visit Abdelrahman’s GitHub page:

https://0xabdoali.github.io/posts/content-security-policy/

Get Featured with Your Bug Bounty Tip

Get featured on BugBounter with bug bounty tip. Sign up on BugBounter as a cybersecurity researcher today, and contact our Community Manager Salih with your username on BugBounter via their email, [email protected].

Join BugBounter Today