.png)
3 hours ago
4 BOOK THIS SPACE FOR AD
ARTICLE AD
How I abled to Disclosure all emails,full name,username, that lead to users/admins PII Disclosure. And invite any users/admins to any run without knowing his email address.
بسم الله الرحمن الرحيم
Aslam alikam, in this write-up I will show you easy bug that I found on my target was lead to earn $$$$ good bounty.
Who don’t know me, my name is Ahmad Yousef in community know as a7madn1, I make write-ups for security vulnerabilities that I found On Bug Bounty Program on my telegram channel t.me/a7madn1
Summary:
Let say the target is domain.com
I found Insecure Direct Object References (IDOR) on app.domain.com This happens when an attacker creates a scheduled_runs,And send request to burp suite in order to manipulate the scheduled_run[user_ids][]
parameter To victim-scheduled_run[user_ids][]
Example: you have Run and it have many things you must doing, via schedule function, you can make a time when you want the run be executed.
Note:
When you want invite any one to your Run, you must have his email.
But I bypassed this, and I was abled to invite any users to my Run without knowing his email.
(I was abled to create and control victims-profile schedule , I will make write-up for this later InShaAlla).
Step To Reproduce:
Go to https://domain.com/scheduled_runsClick on Recurring Run ,You will be redirect to https://domain.com/scheduled_runs/newOpen Burp suite tool.Add random (Time of day you want the run be executed).When click Save Intercept the request to Burp suite.The request will contain this parameters:authenticity_token=&scheduled_run[run_at]=6Am&scheduled_run[user_ids[]=&scheduled_run[started_at]=&scheduled_run[active]=0&commit=Save
Replace scheduled_run[user_ids][] parameter To victim scheduled_run[user_ids][]
Conclusion:
In this bug I abled to get
Users/Admins PII Disclosure.Invite any user to my Run, without knowing his email
Bengali (Bangladesh) · 
English (United States) ·