How did I earn €€€€ by breaking the back-end logic of the server

Hello bug hunters! I am back with another blog. I found these cool bugs in one of the private programs at intigriti. So will not disclose the program name, I will use example.com instead of the original domain name.

Issue 1: Bypassing input validation via `null` value

The target program is a self-developed customer portal from Hotels High. Customer can book their visits. This program targets the staging environment where data can safely be created and modified. Normally customers are provided with a customer registration code with which they can make a booking.

{
"registerCode": "CS1337",
"gender": "male",
"booking_date": "2021-10-03",
"email": null,
"firstName": "first_name",
"lastName": "Last_name",
"gdprConfirmed": null,
"phoneNumber": null,
"booking_time": "14:50"
}
http_request

Issue 2: Information disclosure via an empty array [ ]

While testing the application as a low privilege user. I have found an endpoint that allows us to access the bookings data. I noticed this endpointevent/api/v1/bookings?page=0&perpage=25&pagesize=25&sort=%2BbookingDate&sortby=bookingDate&ascending=true&bookingdatefrom=<DATE>&visitdatefrom=<DATE>.
When a user makes a GET request to the above endpoint, he will get a null response.

Security Researcher | Bug Bounty Hunter

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store