How did I earn €€€€ by breaking the back-end logic of the server

Issue 1: Bypassing input validation via `null` value

"registerCode": "CS1337",
"gender": "male",
"booking_date": "2021-10-03",
"email": null,
"firstName": "first_name",
"lastName": "Last_name",
"gdprConfirmed": null,
"phoneNumber": null,
"booking_time": "14:50"

Issue 2: Information disclosure via an empty array [ ]




Security Researcher | Bug Bounty Hunter

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

Road to OSCP : HTB Series : BLUE

Recap: AMA Crypto Insider Community X Summeris

We are excited to announce that Bullish Node NFTs has gone through the KYC identity verification…

Cross Site Request Forgery, Race Condition, Outdated Library

{UPDATE} Shantae: Risky's Revenge FULL Hack Free Resources Generator

A tale of 0-Click Account Takeover and 2FA Bypass.

How to engage with the C-Suite on cyber risk management

Meet Our Chief Information Security Officer (CISO): Shane Read

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Dewanand Vishal

Dewanand Vishal

Security Researcher | Bug Bounty Hunter

More from Medium

Remote Code Execution | A Story of Simple RCE on Jenkins Instance.

CVE-2012–6342: Atlassian Confluence — Cross-Site Request Forgery (CSRF)

Exploiting IOTransfer insecure API CVE-2022–24562

The Tale of a Click leading to RCE