Zupp folks, I'm making this post just to share what kind of steps I am making to discover the vulnerability for learning purposes ofc✌️.

“Let’s call it aahh.com. This story starts from a friend’s Instagram story, where there’s a link to aahh.com, and as usual, my fingers can’t resist opening any link…

Without thinking twice, let’s just open it with our favorite web browser. The first thing I do is to make sure I understand how the platform works.

After observing and checking out what technology the platform uses, I tried registering on aahh.com using a tempmail and easily created an account on the platform.

After checking it out, I felt lazy to look for a vulnerability on the profile page, so I decided to open a new tab and do some dorking [site:aahh.com “user”] and opened each link displayed by Google.

Out of all the links, I was interested in one link that displayed all user data but was limited to user profile and username. So, I opened the link and analyzed each request using inspect element in the network tab or using [ctrl + shift + i] in Google Chrome.

My eyes focused on one request that led to a URL that I assumed was the place to make a query using GraphQL. The request contained a parameter that was a query to retrieve user data if I remembered it correctly :)

I opened a new tab and visited the URL, and with some luck, the page allowed me to query the database freely [with complete documentation and schema], then I was like…

Using luck and previous queries I got from checking out each request, I tried using those queries, and BOOOMM!!

I managed to run the query and display around 3K user data, including names, birth dates, addresses, phone numbers, emails, etc.

But it didn’t stop there. Based on my experience, there’s often a password column in the user table. So I modified the previous query by adding the password column, and I successfully displayed the password of every user available.

However, the password seemed to be hashed using bcrypt hash? Maybe?

I also read the documentation and schema available on the page and checked out what columns were there. Today seemed to be my lucky day because one of the tables had a column that stored a URL that led to a verified user ID card file.

I modified the query by adding the column for the ID card file [not the actual column name], and the result was very satisfying. I managed to gather around 1K valid data with ID cards that I could collect.”

Then I STOPPP and Report the vuln invention…..

What can we learn from this story?

1. Enjoy the process when you analyze every request and every line of code cuz there’s always something cool waiting for you 😉.
2. Practice makes perfect

Timeline

After I sent the report they awarded me with $70 😃.

Well, that’s all, PEACE ✌️and KEEP HACKING 🔥.