.png)
3 years ago
281 BOOK THIS SPACE FOR AD
ARTICLE ADAs-Salaam-Alaikum (Peace be unto you)
Hello Amazing Hacker My name is Rizwan Siddiqui I am a Bug Hunter. This is my First Writeup hope You guys will enjoy it and learn something new from it. Let’s get started how I found this api misconfiguration.
scenario:The web application is some car or bus selling web application and there is also jobs related stuff there. I try file upload xss but nothing works then I Go To id.target.com there is some profile type function where i can upload my file and there is my login log my ip address who login in my account through which ip. I try some xss again file upload vulnerability but nothing works
After that i thought i should give up and change my target but in id.target.com there is api endpoint which is fetching my personal details like my ip address and name stuff. That time i thought i should fuzz here i try fuzzing after that i notice that this is authenticated endpoint i should fuzz with my cookie so i can find something juice info and i start fuzz like this ffuf -u https://id.target.com/api/FUZZ -w wordlist -c COOKIE_HERE after some time it give me https://id.target.com/api/work and guess what there is some misconfiguration in api endpoint which is leaking company employee data like there position in company jobs Descriptions profile pic that time i thought this is just some basic or some one person info but i am wrong when i send it to repeater tab and i send that request again and again they give me new employee data everytime.
Step To reproduce:
Go to id.target.com login with your credential.open burp suite forward requests until u see the request like this :GET /api/personal HTTP 1.1HOST: id.target.com
Cookie : JWT TOKEN
Accept: application/json
3. Just remove “personal” and add “work” then see the magic.
Takeaway:
Always Fuzz with your cookies if there is api endpoint. And never lose Hope.
Bengali (Bangladesh) · 
English (United States) ·