I received an invitation for an internal project, i found an interesting vulnerability in this project.
After submitting some regularized vulnerabilities, the project seems to have no one to submit new security issues.
I started to try some WebFuzz techniques.
First i should test for sensitive information api, because vulnerabilities here are the most valuable( many bounty :D ).
I found one API about sensitive information -> ../getUserAuth...
HTTP Message Body as follows
{"responseData":{"userid":"user_id","login":"user_name","password":"user_password","mobilenum":"user_mobilephone_number","mobileisbound":"01","email":"user_email_address"}}
It looks really exciting !!! If I can get this information about other people based on my account, i think this is great !!!
Here is my test step ↓↓
Step 1
I see this is a GET request without any request parameters, so i need add parameters.
But where can i get parameters ???
At first i thought of using a dictionary to guess, but i didn’t get the results i wanted after trying.
Step 2
I tried to convert HTTP Response Body to HTTP Request Parameters.
So, i get these parameters (BurpSuite Plugin: https://github.com/gh0stkey/JSONandHTTPP):
mobileisbound=01
login=user_name
userid=user_id
password=user_password
mobilenum=user_mobilephone_number
email=user_email_address
../getUserAuth...?login=[Test Account B]user_name
../getUserAuth...?userid=[Test Account B]user_id
... and so on
But after trying, i also can’t get the results i want.
Step 3
I found the naming rules for other API parameters when I was about to give up.
Rule -> English capitalization
Change the parameter to uppercase with javascript:
God is taking care of people who are careful~I tried to add parameters and i found interesting results.
I successfully get the sensitive information of the account B based on the credentials of the account A !!!
END
- I reported the vulnerability.
- Officially confirmed that this is a critical vulnerability.
- Waited for 3 days… I was awarded ¥3,000 (RMB) bounty.