How did I earn €€€€ by breaking the back-end logic of the server
Hello bug hunters! I am back with another blog. I found these cool bugs in one of the private programs at intigriti. So will not disclose the program name, I will use example.com instead of the original domain name.
Issue 1: Bypassing input validation via `null` value
The target program is a self-developed customer portal from Hotels High. Customer can book their visits. This program targets the staging environment where data can safely be created and modified. Normally customers are provided with a customer registration code with which they can make a booking.
While testing the application. I noticed in the registration workflow, it is not possible to create a booking without phoneNumber/email and other required parameters. I observed a suspicious behavior at an endpoint that allows a user to create a booking with null values.
{
"registerCode": "CS1337",
"gender": "male",
"booking_date": "2021-10-03",
"email": null,
"firstName": "first_name",
"lastName": "Last_name",
"gdprConfirmed": null,
"phoneNumber": null,
"booking_time": "14:50"
}
If a user looks for path API/v1/rest/customer/booking/create/ in proxy history, send a request to the repeater and replace email, gdprConfirmed, phoneNumber parameter with null value then he can able to bypass back-end validation and create bookings.
After validation, I submitted this issue to the intigriti team, They confirmed this is a valid security issue, 2 days later they accepted my report and awarded me a €€€ bounty.
Issue 2: Information disclosure via an empty array [ ]
While testing the application as a low privilege user. I have found an endpoint that allows us to access the bookings data. I noticed this endpointevent/api/v1/bookings?page=0&perpage=25&pagesize=25&sort=%2BbookingDate&sortby=bookingDate&ascending=true&bookingdatefrom=<DATE>&visitdatefrom=<DATE>
.
When a user makes a GET request to the above endpoint, he will get a null response.
But if a user makes a GET request and appends an empty array []at bookingdatefrom
parameter then he can able to access the booking data.
I immediately submit this issue to the intigriti team, They confirmed this is a valid security issue, accepted my report, and awarded me a €€€ bounty.
If you have any query regarding the issue then feel free to dm me @dewcode91
happy hunting!
References:
https://owasp.org/www-community/attacks/Full_Path_Disclosure