How did I earn €€€€ by breaking the back-end logic of the server

Dewanand Vishal
3 min readApr 28, 2021

--

Hello bug hunters! I am back with another blog. I found these cool bugs in one of the private programs at intigriti. So will not disclose the program name, I will use example.com instead of the original domain name.

Issue 1: Bypassing input validation via `null` value

The target program is a self-developed customer portal from Hotels High. Customer can book their visits. This program targets the staging environment where data can safely be created and modified. Normally customers are provided with a customer registration code with which they can make a booking.

While testing the application. I noticed in the registration workflow, it is not possible to create a booking without phoneNumber/email and other required parameters. I observed a suspicious behavior at an endpoint that allows a user to create a booking with null values.

{
"registerCode": "CS1337",
"gender": "male",
"booking_date": "2021-10-03",
"email": null,
"firstName": "first_name",
"lastName": "Last_name",
"gdprConfirmed": null,
"phoneNumber": null,
"booking_time": "14:50"
}

If a user looks for path API/v1/rest/customer/booking/create/ in proxy history, send a request to the repeater and replace email, gdprConfirmed, phoneNumber parameter with null value then he can able to bypass back-end validation and create bookings.

http_request

After validation, I submitted this issue to the intigriti team, They confirmed this is a valid security issue, 2 days later they accepted my report and awarded me a €€€ bounty.

Issue 2: Information disclosure via an empty array [ ]

While testing the application as a low privilege user. I have found an endpoint that allows us to access the bookings data. I noticed this endpointevent/api/v1/bookings?page=0&perpage=25&pagesize=25&sort=%2BbookingDate&sortby=bookingDate&ascending=true&bookingdatefrom=<DATE>&visitdatefrom=<DATE>.
When a user makes a GET request to the above endpoint, he will get a null response.

But if a user makes a GET request and appends an empty array []at bookingdatefrom parameter then he can able to access the booking data.

I immediately submit this issue to the intigriti team, They confirmed this is a valid security issue, accepted my report, and awarded me a €€€ bounty.

If you have any query regarding the issue then feel free to dm me @dewcode91
happy hunting!

References:
https://owasp.org/www-community/attacks/Full_Path_Disclosure

--

--

Dewanand Vishal
Dewanand Vishal

Written by Dewanand Vishal

Security Researcher | Bug Bounty Hunter

Responses (2)