.png)
2 months ago
42 BOOK THIS SPACE FOR AD
ARTICLE ADWell, that’s what this is about. After encountering duplicates and N/As in a few Bug Bounty programs (as a beginner), I came across a new program with a pretty solid scope. It includes a forum for customer support, resolving issues, and answering questions. What caught my interest was the ranking/points system, which is based on things like answering questions, solving issues, and sending badges, among other activities.
After some real user testing (which was super helpful), I discovered that liking anything on the forum earned me 5 points. Naturally, I tried automating it with Intruder and tested for race conditions, but didn’t find much at first. However, as always, I knew I needed to dig deeper.
After a while, I discovered something even more interesting. When I liked and then unliked a post, the likes count on my profile changed, but my points didn’t! So, all I had to do was repeatedly like and unlike posts to climb the leaderboard. Is that the end of the story? Not even close! 😆
When I repeated the process using some Burp Suite tricks (I’ll dive deeper into that later), I gained around 130 points. But of course, I wanted more! 😆
During further user testing, I discovered that anyone could access user notifications. At first, I thought it was a Broken Access Control (BAC), but after reading the docs, I realized it works as intended— you can view another user’s notifications, just not control them. But you can still like and unlike them… you see where I’m going with this?
By doing the same like-unlike trick on any user’s notification, I racked up 20 points! Fast, but I still wanted more! 😆
So, I thought about sending the attacker a badge. When I checked my notifications (the attacker’s), I repeated the same like-unlike process on the badge the victim had sent me. This time, I earned 30 points with each like and unlike. And that’s how I finally got my name on the leaderboard!!!!
And here’s where the fun begins! After racking up all those points, my account got blocked. 😢
Now, every time I try to log in, I’m stopped by a sad black screen!
No, not at all! When I got that message, I thought, ‘Can I do this to anyone’s account?’ And the answer was yes. I could easily go to anyone’s post or action, repeat my awesome process, and boom. They’d lose access to their account for good!
When the server responds with a 400 Bad Request, it means the server detected something wrong with the victim’s request, likely due to corrupted state or malformed data caused by our exploit.
I have a couple of theories about this:
The backend might be detecting that the victim is receiving a lot of requests on their post/action in a short period, leading to their account being blocked. However, this raises the question of why I, as the victim, didn’t receive a block message like ‘You’re blocked’ or any indication that something was wrong and the server know that. Why didn’t anything happen to me as the attacker, I wasn’t maliciously triggering the Web Application Firewall (WAF)?The second theory is that the server didn’t properly validate or rate-limit the requests, which could have overwhelmed or corrupted the request-handling mechanism. This could result in improper handling of user data, causing the user to be locked out or their account to be invalidated.As this appears to be a logic flaw, and without more information or insights, it’s challenging to develop further theories, as it’s a black box testing.
After reporting this bug to the program, it took them 20 days to respond. They marked it as informational! Can you believe this?
After all, this write-up isn’t just about the bounty or the points. It’s about sharing my ideas with you. So, let me know your thoughts in the comments. Thanks, and keep hacking 3>
Bengali (Bangladesh) · 
English (United States) ·