An Interesting Business Logic Bug

Hi, this write-up is about an interesting bug which was something new I found while playing around with my private program.

Hello, Fellow Hackers 🎃

Today, I’d like to share an Interesting logic bug I found in a 1-year-old running program, which I believe started in 2019 and when I received the invitation of that program, It was about to get closed like in 10 days

I was like this program is well tested and I would hardly find anything, but losing hope is never an option so I started fuzzing everything and started to check every functionality I could and try if I could abuse it but no luck

After 3 days of using the web-app as a normal user, checking every functionality, going through all proxy history via Burp, relentlessly doing way-back URLs going through all the endpoints I found nothing but I was like last 7 days, Lets not loose hope and aim for the best

I came across something unusual after days of using the web-app as a normal user.

( The reason, I’m highlighting using the web-app as a normal user is some of us just jump in the web-app without understanding the target and try to find bugs but that’s completely wrong)

Before finding this bug even I was like, just jump in the target and try to get bugs but that is completely wrong

So, let’s come to the point about the unusual part, so the unusual part was the web-application was very serious about the session management issues and due to inactivity, It would log you out and will force you to login again

So, I was like hmm let’s focus on this behavior. And I opened all the possible sensitive endpoints of the web-app while logged in and started waiting for the web-app to kick me out due to inactivity and check if all the sensitive endpoints are authenticated or not!

And yes! My prediction was right, sensitive endpoints didn't kick me out but the main “Home” page did due to inactivity this makes the web-app vulnerable to according to Bugcrowd VRT

Broken Authentication and Session Management > Failure to Invalidate Session > On sensitive endpoints

I reported the bug and one more thing the program didn’t pay for P4 submissions but here’s what happened with me

I hope you enjoyed reading it & if yes? Follow me on twitter ArmanSameer95

(PRO-TIP) by DK999:

कर्म किए जाओ, फल की आशा ना करो | Keep doing your part of work don’t expect fruit