.png)
4 hours ago
7 BOOK THIS SPACE FOR AD
ARTICLE AD
إِنَّ اللَّهَ وَمَلَائِكَتَهُ يُصَلُّونَ عَلَى النَّبِيِّ ۚ يَا أَيُّهَا الَّذِينَ آمَنُوا صَلُّوا عَلَيْهِ وَسَلِّمُوا تَسْلِيمًا
Salam Alaikum, guys!
I hope you’re all doing well.
Today, I want to share a cool bug I found in an external program. I’ll also include some useful tips related to IDOR (Insecure Direct Object Reference) bugs.
By the way:
If you want to start hunting on external programs, believe me is good ideas. I know some people might say it’s a scammers and you waste your time , but just give it a try.
I truly believe in what Douidi Youssef said:
“الأرزاق موجودة يا شباب بإذن الله، ولكن لمن يعمل ويجتهد.”
let diving now 🐱👤
My methodology starts with the main domain, where I focus on understanding the program’s logic and how its features work. Once I grasp the system, I explore all its functions to uncover hidden details. Finally, I analyze requests to find vulnerabilities like access control flaws or parameter tampering…
i start anlyzing the api request of section named Alliance
The Alliance section🧐 is where you empower customers to become part of your referral program. Customers can generate unique sharing links like:
https://captinsharky.com/joinSharkycompany?via=test1company
With these links, customers can refer others to your program. Every time a referred customer makes a payment, the referrer earns 20% of the payment as a reward.
This system benefits both the company and the referrers, fostering collaboration and growth through shared incentives.
For example, when generating a new link in a referral section, if the system prompts for my PayPal email, I inspect the request. A typical endpoint might look like:
/api/auth/companyInfo/Alliance/SharkyCompany
with a payload such as:
"email": "sharky.company@sharky.com"
}
I then changed SharkyCompany to Tesed and got a 200 Success response.
at first i said is false positive i go fast to add another account to test and boom the bug is worked🤯🤑
Bengali (Bangladesh) · 
English (United States) ·