Hola fellow researchers,

Myself, Rafi Ahamed. I am a Cyber Security Researcher from Bangladesh. I am a currently doing my BBA from University of Dhaka. But I do love nerdy stuffs. Let’s not waste any time & get down to our topic.

First of all, don’t get confused with the title. By forcing I actually meant Forced Browsing.

Forced browsing is an attack where the attacker aim to enumerate and access resources that are not referenced by the application, but are still accessible.

Recently I was testing a private site in HackerOne and the site was selling educational videos. So, they allow an user a preview of the video without payment. But the preview was for only 15 seconds or less. Well, who cares about that right?

Actually, that’s where the $$$ lies.

As usual I turned on Interception using Burp Suite & noticed endpoints like below:

But the endpoint was on another subdomain. By looking at the subdomain name it was understood that the organization uses this subdomain to store all it’s videos & other stuffs. So, I quickly visited the endpoint to see if I can find anything.

But I got nothing. Got the same preview with the same duration.

Then I noticed that the endpoint has something like this

I thought why not remove it & see what happens. I was surprised that I got the full video. Now I can watch any paid video without payment.

I quickly reported the bug to HackerOne & got a nice $500 bounty.

Reported: Sep 27th.

Triaged: Sep 28th.

Resolved: Oct 18th.

Hope you guys enjoyed this one . PM me at Facebook or LinkedIn anytime if you have any questions .

#Eat_sleep_hack_repeat
#Hack’em all