How did I earn €€€€ by breaking the back-end logic of the server

Hello bug hunters! I am back with another blog. I found these cool bugs in one of the private programs at intigriti. So will not disclose the program name, I will use example.com instead of the original domain name.

Issue 1: Bypassing input validation via `null` value

While testing the application. I noticed in the registration workflow, it is not possible to create a booking without phoneNumber/email and other required parameters. I observed a suspicious behavior at an endpoint that allows a user to create a booking with null values.

{
"registerCode": "CS1337",
"gender": "male",
"booking_date": "2021-10-03",
"email": null,
"firstName": "first_name",
"lastName": "Last_name",
"gdprConfirmed": null,
"phoneNumber": null,
"booking_time": "14:50"
}

If a user looks for path API/v1/rest/customer/booking/create/ in proxy history, send a request to the repeater and replace email, gdprConfirmed, phoneNumber parameter with null value then he can able to bypass back-end validation and create bookings.

http_request

After validation, I submitted this issue to the intigriti team, They confirmed this is a valid security issue, 2 days later they accepted my report and awarded me a €€€ bounty.

Issue 2: Information disclosure via an empty array [ ]

But if a user makes a GET request and appends an empty array []at bookingdatefrom parameter then he can able to access the booking data.

I immediately submit this issue to the intigriti team, They confirmed this is a valid security issue, accepted my report, and awarded me a €€€ bounty.

If you have any query regarding the issue then feel free to dm me @dewcode91
happy hunting!

Security Researcher | Bug Bounty Hunter