.png)
2 weeks ago
14 BOOK THIS SPACE FOR AD
ARTICLE AD
بسم الله الرحمن الرحيم
I will share with you how my friend Mostafa Mamdoh and I were able to deny all users from creating sub-accounts in the application.
First, the application has a feature that allows clients to create sub-accounts with different permissions.
I noticed that when I edited a permission for a sub-account, the request data looked like this:
{“security”: true,
“contacts”: true,
“send_emails”: true,
“id”: 2023
}
So, I tried to change the “id” to another sub-account in different client, but the response was “not allowed”.
Then, I changed the “id” to “1e9”. I noticed that my “id” changed to “1000000000”, and when I created another sub-account, it had “1000000001” as the “id”.
I decided to change this “id” to the maximum integer of “2147483647”. After making this change, the whole application returned a server error when any client tried to create a sub-account because the “id” reached the maximum value.
we have been rewarded with 2,250$
![16 Times Forced Browsing Leads to Authentication bypass [ 300$ Bounty ]](https://miro.medium.com/v2/resize:fit:1200/1*HjbmfPos5Gtyq_GE7kwDEA.png)
Bengali (Bangladesh) · 
English (United States) ·