Broken Access Control on an E-commerce website allows attackers to lengthen trial plan

Hello hackers, long time no see. If you haven’t read my previous write-up, you can have a look here How I found Reflected XSS which leads to Account Takeover on an E-commerce website

Recently I was so busy with my internship that I didn’t spend too much time on bug bounty hunting. I hope you’re doing well. Today I wanna share with you a simple bug that allowed me to increase the trial day in an e-commerce website. Before we start, I’m just a student so your support will help me a lot. Buy me a coffee via https://www.buymeacoffee.com/p00dl3 and https://www.paypal.com/paypalme/npthin1804. Without further ado, let’s get started!!!

I can’t disclose the bug so let’s call the website is REDACTED.com. This is an e-commerce website that allows business to create store online. It provides a wide range of features like store design, create products and so on. For better visualization, it’s similar to Shopify :). There’s an endpoint called REDACTED.com/start-your-trial/ that allows you to create a trial store which will last for 15 days. And the cool thing here is, we can bypass it to increase the duration. After filling in all information, I clicked on the sign up button, examined the request in Proxy history in Burpsuite and the endpoint api/trials/create-store caught my attention.

Let’s focus on the plan_sku parameter. It’s possible that we can change the number of days to another number, which will result in the ability to increase the trial days. With that idea in mind, I decided to create other accounts, turned on intercept and change the value of plan_sku to STORE-TRIAL-30DAY and STORE-TRIAL-60DAY, and guess what? It works guys!!!

However, I tried with STORE-TRIAL-100DAY but failed. So I guess that the number of days should be the multiplication of 15 (maybe something happens in the backend).

The website had some problems with creating accounts so I wasn’t able to create any other to check. I stopped there and started to write a thorough report. In the past, I had a lot of invalid bugs, some are out-of-scope, some are closed as informative so I didn’t expect much for this one. After 3 days, this is what I received

Still no luck :((. Anyway, this is my first valid bug, I just wasn’t fast enough to find it. Honestly, this game is competitive, there’re a lot of talented hackers out there. I guess you guys will find it challenging in the beginning, I’m also suffering from it. However, big things start from the small ones. Believe in yourself and keep learning and hacking. You’ll soon get it. Together we’ll find our first bugs.

This is the end of this write-up. I’m so thankful that you keep reading until now. I appreciate every view and claps and support from you guys. I’m also open to collaboration. You can find me via discord _p00dl3