From oos — getting bounty Improper Access Control to create an commentor account on the application.

From oos — getting bounty Improper Access Control to create an commentor account on the application.

Hello hackers! I hope you’re enjoying your good old days of bug hunting. Today, I’m excited to share a test case that helped me secure a $300 bounty with some relatively simple steps. But before diving into the technical details, let me give you a brief overview of the application. It’s a news channel website where viewers are granted read-only access. Despite the presence of many endpoints within the application, you can’t perform any actions on them, as these endpoints are not visible in the Burp Suite history. These endpoints are only triggered after logging into the application with any role. However, from an external perspective, there is no login page, and we can’t directly log in.

So how did I manage to create a “commentator” role? That’s what this article is all about! By identifying a subtle vulnerability and exploiting it, I was able to bypass the typical access controls and gain the ability to create roles, something that wasn’t supposed to be possible. I hope this test case becomes a valuable addition to your bug bounty toolkit. Happy hunting, and may you find plenty of bugs and bounties just like this one!

I can not disclose the name of the application as it was a private programme which i got invite from yeswehack.

Step 1: Discover the Exposed JavaScript File

When I begin testing any application, my first step is to use Ctrl + Shift + F to search for endpoints across the entire application. By performing this search for /api/, I was able to identify the vulnerable endpoint located within a JavaScript file.

https://redacted.net/assets/js/admin.614ccb6cee64b2efd3ac057eb5e6eb15.js

step 2: Inspect the JavaScript File for API Endpoints

This file contained the logic to interact with the /api/auth/local/signup endpoint, which was responsible for creating new accounts, including admin accounts. This endpoint was meant to handle user registration, including admin account creation. No authentication or authorization checks were implemented, making it publicly accessible.

Step 3: Send a POST Request to the Exposed Endpoint like below

Commentor role was assigned to me

After successful login into the application.

Message from the company

So dont think that our finding is out ofscope sometimes company will provide the bounty ass token of appreciation. So always report your findings.

Special Thanks:

Lastly, I want to take a moment to thank a very special person whom I met on September 30, 2022. I want you to know how much your existence means to me. Thank you for being you.