BOOK THIS SPACE FOR AD
ARTICLE ADHi gus i will share my last finding on vdp program on hacker while report closed so i dont need to hide my program name so lets go
It is Cors Misconfiguration lead me to read user data so first lets explain what is Cors Misconfiguration ?
A cross-origin resource-sharing misconfiguration occurs when the web server allows third-party domains to perform privileged tasks through the browsers of legitimate users. As the CORS mechanism relies on HTTP headers, a browser makes preflight requests to the cross-domain resource and checks whether the browser will be authorized to serve the actual request. Therefore, improper configuration of CORS headers allows malicious domains to access and exploit the web server’s API endpoints.
For more details you can read this article https://crashtestsecurity.com/cors-misconfiguration/
So now lets start
First while i explore site and let burp working i noticed request to /authenticate/current-user endpoint that retrive current user information request have origin header so i tried to change it and it work
so i go and create an account
Here u can see fake info for account and as poc here
Tip:
Always noitce origin header for request that retrive important information