As it’s a private program, i’ll refer to it as “redacted”. Let me give you some information about the program before we start.
The main application was a specified beverage shopping site. So as always i took my time to learn all the features and the working of the site. There were memberships, packages and profiles for every user.
As a bug bounty hunter the most important thing you could do is to not give up on a program. Most people switch programs often because they feel like they wont find any vulnerability there. But that’s not true, you have to take your time while learning the working of the site.
So i took my time and learned all the features on the website, then i started to test specific pages and features.
While wandering around the product page, i noticed that i could rate a beverage without actually buying it. Here is the request of it:
POST /customer/product/product-rating.json HTTP/2
Host: www.xxxx.com
Cookie: xxx
Content-Length: 81
Sec-Ch-Ua: " Not A;Brand";v="99", "Chromium";v="102", "Google Chrome";v="102"
Content-Type: application/json
X-Csrf-Token: xxxxx
Sec-Ch-Ua-Mobile: ?0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/102.0.0.0 Safari/537.36
Sec-Ch-Ua-Platform: "Windows"
Accept: */*
Origin: xxx
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: https://www.xxx.com/products/xxx
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9,tr;q=0.8{
"comment":"",
"productId":27044,
"yesOrNo":5,
"sliderRating":5,
"favourite":false
}
There were two types of rating, one of them was just a question of: “Would you buy this again?” if you chose yes it would return "yesOrNo:5
if not then it would return "YesOrNo:1"
. So i thought can i manipulate the ratings by trying race condition and giving a value of 1 to YesOrNo question. But that didn’t work.
As for the other rating; it was a simple star rating, you would choose how many hearts you wanted to give out of 5 and it would return it in the sliderRating.
I tried a few things, one of them was changing the sliderRating to 150. And to my surprise, it worked. It was showing “150" both on front end and in the api. Here’s the response
HTTP/2 200 OK
Date: Sat, 25 Jun 2022 19:54:16 GMT
Content-Type: application/json;charset=UTF-8
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Content-Security-Policy:
Expires: 0
Pragma: no-cache
Strict-Transport-Security: max-age=31536000
X-Content-Type-Options: nosniff
X-Content-Type-Options: nosniff
X-Frame-Options: SAMEORIGIN
X-Xss-Protection: 1; mode=block
Expect-Ct: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"{"rating":{"id":113062722,"rating":150.0,"sliderRating":600.0,........}
As you can see, i was able to manipulate both the star rating and the yes or no question. I created a report and waited for their response. I was expecting it to be closen as informative because this could be not affecting the reputation of the ratings. But their response was positive, it was affecting the ratings and they accepted it as a business logic error. Whilst this was not a security issue, they accepted it so i gave my respect to them 😅.