BOOK THIS SPACE FOR AD
ARTICLE ADBackstory:
Allow me to introduce myself briefly. I am an enthusiast in Cybersecurity and Cloud Security. My journey in cybersecurity began five years ago, and since then, I have been continuously learning and exploring various domains within cybersecurity. Recently, I developed an interest in bug bounty programs, which offer a close-to-real-world hacking experience. The idea of identifying vulnerabilities in live applications and being rewarded for it fascinated me. Consequently, I decided to test my skills by participating in bug bounty programs offered by various websites.
Choosing my target:
Due to my busy schedule balancing work and studies, I have limited time for bug bounty activities. As a result, I prioritize targets with substantial bug bounty rewards, preferably from newer companies to minimize duplicate submissions. While searching for potential targets using Google dorks like “inurl:/bug bounty reward,” I came across a cryptocurrency exchange website. They offer rewards ranging from $200 to $3000 for identifying vulnerabilities in their web application. This platform includes various features such as payment gateways, invitation systems, group creation, and cryptocurrency trading functionalities. The extensive functionality of this website presented an opportunity for me, as it expands the scope for identifying vulnerabilities. Instantly, I determined that this website is the ideal target I am looking for.
Reconnaissance:
Let’s name the target target.com and refer to it with the same name in the article as I can’t disclose the name due to the responsible discloser policy. So in my bug-hunting process, I skip subdomains initially and focus on the main domain to get gist of websites functionalities . If I don’t find anything there, I move on to subdomains. I usually start by signing up and exploring the website like a regular user, noting down every feature. Then, I brainstorm how these features could be exploited for security vulnerabilities. This approach helps me analyze the website thoroughly and identify potential vulnerabilities as these types of vulnerabilities in main domains are the one for which companies pays the most.
Finding the vulnerability:
After spending hours trying to exploit different functionalities like password reset and inviting a friend, and getting nothing, I was losing hope. But then, one interesting functionality caught my attention: the ability to create groups and invite friends. However, there was a limit of 10 groups per user. I thought, “Let’s try to bypass the limit.” I intercepted the request in Burp Suite, loaded it into the intuder tab of burpsuite , and fired the request over 200 times. Luckily, there was no rate limit, and I successfully created over 200 groups, surpassing the 10 groups limit. My happiness was through the roof.
Now, I just need to prove to the company/website that this is a security threat, not just a common bug. Therefore, I’ve written a detailed report with a video proof-of-concept (POC) explaining the impact of the vulnerability. Please find below the details.
My Report that I sent to the program :
Title: No rate limit to memory corruption
A little bit about Rate Limit:
A rate limiting algorithm is used to check if the user session (or IP-address) has to be limited based on the information in the session cache. In case a client made too many requests within a given timeframe, HTTP-Servers can respond with status code 429: Too Many Requests.
Description:- I have found that there is no rate limit in create group function of your website so any attacker can create unlimited amount of groups in just few seconds
IMPACT: Suppose 100 charcters takes 10kb of memory in your server then attacker can make 10000 groups with 100 chracter name
in just few seconds which will take 10000*10kb=1000 mb of space and repeating this he can fill your memory with garbage
Also it may lead to appplication level dos or reduce performance of your website
Steps to reperoduce :
go to target.com2 login to your accountgo on create a group and intercept the requestsend request containing group name to intruderselect group name any one character as position and go to payload and 6select numbers from 1 to the value you want to choose start attackyou will see all groups are created without any rate limit.Video POC was shared
There Response:
PFB Screenshot of the email they sent:
Hope this read added some value to your skills.
My : LinkedIn