Breaking into the VIP Club: A Tale of Parameter Tampering Exploits

Hello everyone! It’s been a year since I last wrote my write up. I’ve been busy with college life, but now that I’m almost finished with college, I’m trying to write more often and share my hacking journey. I’m a beginner myself, but I hope my writing can give you a few tips and tricks on how to approach targets and identify vulnerabilities in real systems.

Before we get into the story of “Breaking into the VIP Club: A Tale of Parameter Tampering Exploits,” thank you for reading this simple write up. I hope it can be a blessing for all of you. If you find any misinformation, please don’t hesitate to tell me in the comments, or you can send me a message on LinkedIn. It always makes me happy to receive criticism to improve my mistakes and the flow of my writing.

Brief explaination of the bug

So the bug that I found is actually really simple. It’s called parameter tampering. Maybe some of you who really like to read write ups are already familiar with this. The vulnerability occurs when the parameters exchanged between client and server in a web application can be manipulated. This usually happens when the server doesn’t perform proper validation and accepts the user’s request as is. As i usually say. the first things to ruin and make your website got hacked is by accepting user request without proper validation.

This vulnerability can often be exploited by changing the price of a product or getting free items, and other similar actions. Yeah it’s not like sophiscated attack that need alot of code and stuff. You just need to understand the flow and focus on the request that you get. Without further ado, let’s get into the exciting part, which is the write up!

Write up

So this vulnerability was found in a startup in Indonesia that focuses on job searches for people. As my lovely readers know, I’m not a fan of automation, so I like to approach my target with care and gentleness. I tried to test the login form for no rate limit, password tampering, host header injection, etc., but I didn’t find any vulnerabilities.

Oh, before I continue, here’s a tip from me: when you test for vulnerabilities on one page but don’t find any, don’t give up! Try testing other pages and so on. Just don’t give up, okay?

So when I opened the main page, I saw a new feature that had been implemented. There is an option to upgrade your account to VIP. The benefits of being a VIP include getting job offers faster, having a unique border on your profile photo, and many other advantages. When I saw this, I thought, “Oh, the tasty, delicious fresh meat is here.”

So i launch up my burpsuite and intercept the request to buy the VIP section and then i saw the request it goes like this :

Yes! I know all of your hacker instincts are probably screaming, “JACKPOT! THE BUG IS RIGHT THERE!” But for you maybe who not yet familiar with this tampering bug. So as you can see there is a json request that been send

So, if you see the comment I wrote, “this is important,” those two pieces of data are very crucial. Why? As you can see, it’s under my control, not the server’s. I, as the user, can manipulate it. Normally, only the server can determine the price amount and whether it has been paid. However, because the determination is in my hands, I can change “paid” to true or adjust the amount to zero. Therefore, I changed “is paid” to true.

So it become like this

And when i check my profile border. I got the VIP border ! After that i make the report and the company gave me $200 for this vulnerability (Yes it’s small amount, i dont complaint. Because im happy that i can actually practice my skill.”)

Conclusion

Searching for a bug doesn’t need to be complicated or require complex payloads. By understanding the website’s features and exploring multiple areas, you’ll be surprised at how easily a critical bug can be found and exploited. So whenever you receive a response and check the data, try to tamper with it. Perhaps the server isn’t validating properly. In bug bounty hunting, avoid assumptions. Test more and take action rather than assuming and doing nothing!

I hope you enjoyed reading about how I found this vulnerability. If you like this type of write-up with a storytelling touch, feel free to follow me for more! I promise to write more frequently.

If you have trouble understanding this, please don’t hesitate to comment or reach out in the comments section!