Recently, while hunting on a private bug bounty program I got full API Access to target’s Auth0 Management API. This was my first comeback vuln/bounty after taking a pause from Bug Bounty Hunting.

Target was a staging env for which I had some credentials assigned. Let’s assume the target was `stage.application.hunt`. It was a basic SPA built using React and the backend I believe is NodeJS

The very first thing I did after I was invited to program was

• Reset Email and get password and Login
• Select Target -> Scan -> Crawl in burp suite
• click every button I could find on the website

After tapping all the buttons and visiting every page in the application I switched to burpsuite to analyze traffic. After some dead ends, I found a `PATCH` request to `/api/path/data` and it had language preference in the request body as shown in the below image

I tried some basic fuzzing on this endpoint by which I mean

• Fuzzing Request Methods
• Sending Invalid JSON
• Changing Content-Type’s
• Host, Origin Fuzzing etc

and every time I got a `500 Internal Server Error ` 😞 just like the below image

As I was about to move to other endpoints as final attempt i tried empty JSON string `{}` and it returned an error message 👀

After properly formatting the error i saw that it contained an Authorization Header with `Bearer eyJxxxx`. It also contained an address to which the request was being sent and that would be `https://application.us.auth0.com/api/v2/users/auth0|652xx` Searching this endpoint on Google led me to auth0 management API docs more specifically https://auth0.com/docs/api/management/v2/users/patch-users-by-id. After entering the token in the docs page it showed all permissions available to that token.

I tried fetching user data and other endpoints like listing users, applications, updating users etc and everything worked. Even though it was a staging application it had around ~300 users in it most of them being [email protected] emails.

I immediately recorded a POC Video using OBS and wrote a simple explanation and submitted the report. The Triage Team accepted the report after 1–1/2 days and asked for some more details about the impact and after that rewarded $$$ bounty.

Verdict

I think in the backend user’s request was first unmarshalled into an object and the same object was used to send a request to the management API to update user data. Earlier when I tried invalid JSON it failed since unmarshalling failed but sending empty JSON did the trick and management API returned 400 status which errored out.

About Me

I am Tarun, a security researcher and Go Developer from India. When I am not hunting for bugs, you will find me on GitHub adding features and fixing bugs on nuclei and other PD Tools.

Later on, I found a privilege escalation(kinda) vulnerability which was triaged as low severity at first but with the above knowledge about the backend, I exploited it to make it a critical Severity report. Will share it in the next writeup. Until then follow me on twitter, or medium to be notified.