403 Forbidden Bypass Exposing API Key

This report outlines the discovery and exploitation of a vulnerability on redacted.com. I have to keep the company name private due to a NDA. The vulnerability allowed for a bypass of the 403 Forbidden status code, granting access to a secret API key. This report aims to provide a detailed account of the findings and the subsequent steps taken.

2. Background

While conducting a thorough analysis of the redacted website’s functionalities with Burp Suite, I decided to investigate the potential presence of a path traversal vulnerability.

Path traversal, also known as directory traversal, is an attack technique that seeks to access files and directories located outside the web root folder. By manipulating variables referencing files using specific character sequences, such as “../” or absolute file paths, an attacker may gain unauthorized access to sensitive files, including application source code, configuration files, or even critical system files. — OWASP

3. Discovery

Although I was unable to identify a path traversal vulnerability during the analysis, I discovered an interesting endpoint, “/API/V2/,” within the website’s structure. Intrigued by the possibility of uncovering potential vulnerabilities, I attempted to access the endpoint by removing the “/v2/” segment from the URL. Surprisingly, this action redirected them to a page containing API documentation for a third-party service.

4. Initial Access

Denied Upon accessing the API documentation page, I received a 403 Forbidden status code, indicating restricted access. Undeterred, I continued my exploration and experimentation to determine if any security weaknesses could be exploited.

5. 403 Forbidden Bypass

During their investigation, I decided to try URL encoding the endpoint. This technique involves encoding special characters in a URL to ensure proper transmission and interpretation by web servers. By applying URL encoding to the endpoint, I discovered that the 403 Forbidden page could be bypassed successfully, granting access to the previously restricted API documentation.

6. Exposure of Secret API Key

What is an API Key? An application programming interface (API) key is a code used to identify and authenticate an application or user. They control requests made between programs, how those requests are made, and the data formats used.

Once the 403 Forbidden bypass was accomplished, I noticed that the response in burp contained a secret API key. This key, originally intended to remain concealed, was inadvertently exposed due to the vulnerability. It is important to note that I acted responsibly and did not misuse or disclose this information to any unauthorized parties.

7. Responsible Disclosure

I reported their findings to the redacted website’s security team on Hacker0ne, providing a detailed account of the vulnerability, the steps to reproduce it, and the potential risks associated with the exposed API key. The company acknowledged the report as informative, but did not issue a bounty for the discovery. :(((

8. Conclusion

While the company did not recognize my findings with a bounty, the successful bypass of the 403 Forbidden status code represents a significant achievement in my bug bounty hunting journey. The discovery of this vulnerability and the subsequent responsible disclosure process not only contributed to my personal growth but also highlighted the importance of thorough security testing and continuous improvement in web application development. I express gratitude to all who have read this report and hopes that it serves as an educational resource for others interested in Bug Bounty Hunting.

Another thing, I’m always willing to collaborate with other researchers! Feel free to reach out to me!

Happy hacking!