.png)
1 year ago
45 BOOK THIS SPACE FOR AD
ARTICLE AD
In this report was able to use a Premium Feature for Free. I was able to create Unlimited Forms which was only allowed to Premium Users.
Hi folks, This is Shubham Sahu, an independent internet security researcher from India. This is my first write-up on Medium. I was an active Bug Bounty hunter in 2013–14, but nowadays I rarely get time to hunt because of my tight schedule of work.
I was recently hunting on an open bug bounty program of a famous online form creation platform, Where I came across an intriguing bug. This particular bug granted me access to the platform’s premium feature, which was originally limited to paying users and inaccessible to free users.
So there were some subscription plans on the platform like — Starter, Medium, and Professional.
In Starter [Free] only 5 Forms of creation were allowed
The Medium allows let's say around 25 Forms while
In the Professional plan, you can create Unlimited Forms.
I quickly decided to exploit this functionality and started intercepting requests in my Burp Suite.
While Intercepting I encountered a URL that was responsible for creating New Form, The endpoint was something like this:-
api.domain.com/form/newI send this request to the Repeater tab and manually send the same request 10–15 times.
“As I was using the free plan I was allowed to create 5 forms only.”
I refreshed my dashboard and noticed that there were more than 10 forms created.
Yes, That was too easy.
Then I send the request to the intruder just to check how many forms I can create by this method.
I started the intruder and noticed that after some OK responses, I am getting errors.
The error was:-
API Limit Exhausted!Without wasting time quickly head over to API documentation and have a concise understanding of its features and functionalities.
After some reading, I was able to craft a CURL command for the same endpoint using my API key and generated 1000 Forms within a few minutes. As API request allowed per day was 1000. So one can create 1000 forms per day.
The curl command used was:-
curl -X GET "https://api.domain.com/form/new?apiKey={apiKey}"Jan 6, 2023 — Reported!
Jan 11, 2023 — Already Known by Internal Team!
Bengali (Bangladesh) · 
English (United States) ·