Alright people, let’s do this one last time.

I’m Manav Bankatwala, and I’m a security researcher. I’m not sure what kind of radioactive spider bit me, but it gave me the power to see security vulnerabilities everywhere.

While from the title, you must have guessed that this writeup is about how I found 4 business logic bugs in a single program with a total reward of 2300$ and a really good appreciation from the COO of the company :

At first, I thought to write different writeups for all bugs, but here I am including it all in a very understandable and humanized way.

This target program is a company which provides browser services where we can easily utilize it’s web scraping facilities and multiple login accounts all at once. It’s very similar to the Incognito mode we use in browsers. But this provides 100s of incognito browsers at once without any complications.

This application have only paid pricing plans to use. Let’s say that a solo plan costs around 80$ and a team plan up to 3 users costs around 170$. The plan price increases as we add more and more users. Additional user cost was 32$ per user. And without even a basic plan you cannot access 90% of the application features. So here, I found 4 business logic vulnerabilities which directly affected the business finances causing major loss. Let’s begin with the first one :

As I already said, that in a Team plan, we can only invite up to 3 members and then per member addition cost was 32$.

I have already added 3 members and now I cannot add more. I have to delete a member first and then invite. But here there was a big misconfiguration. Let me tell you the normal flow first.

1. Enter all the details of the member and click on send invitation.
2. The member will get an invite accept link and after clicking that link only, the user will be added.
3. Member used the link and was added in the team. Like this we can add up to 3 members.

But here the misconfiguration present was that until the user accepts the invitation, the member count was not increasing. I.e. we can first send the invitation link to 10 members and then accept all. Let me break this into steps for you:

Exploit steps:

1. Enter the details of member and send the invitation link.
2. Don’t use the link and again add another member.
3. Repeat the process till the number of users you want to add.

1. Still the member count is 0 in plan as no one has accepted the invitation yet.
2. Now, visit all the invitation links sent one by one. All the members will be added without any charges. Like this I invited more than 6 users and saved 200$.

With this now I can even add 100 members at once resulting in company loss of 320$. They immediately addressed and fixed this vulnerability.

Reward : 500USD

Again here, a user with no plan cannot access the feature of inviting other members into the team. But due to the presence of a security misconfiguration, we can directly send the API call of invite user with no plan user session token. So the steps that I performed are as follows:

1. Capture the POST request responsible for inviting new user and send this request to repeater.
2. Change the authorization token to a user token having no plan. Also changed the workspace ID parameter.
3. Sent the request and it was successful. Instead of showing a forbidden error. The user was invited.

Reward: 500USD

Here, in the application we are only assigned a specific number of browser profiles to create. For example, we can only create 300 browser profiles with a solo plan. This looked like a case for me to test for race condition i.e. if we can create more than 300 profiles with a limited plan access. The steps are as follows :

1. I first created 298 profiles

2. Then again clicked on create a new profile and capture the request in burp suite.

3. Sent this request to extension, Turbo Intruder. You can even use your own python script. Added a random position as payload position and increased the threads.

4. As the attack ended. The total count of browser profiles was 306. This indicated a successful exploit of race condition. Easy right?

Reward : 500USD

In the application, when we invite the user. We have options to select from 3 roles. i.e. User, Launcher and Manager. The “User” role cannot see some details like the members in the workspace, their roles, invited members , Balance and which plan they are on. But if, same details we request using API with “user” role cookies, then we can get those details as well. The exact steps of exploits :

1. First invite a member with “user” role permission.
2. This role has no permission to see other members and plan used.
3. But by directly sending the API calls. i.e. :

https://api.target.com/workspace/restrictions
https://api.target.com/workspace/users?limit=100&offset=0
https://api.target.com/workspace/invitations?limit=1000&offset=0
https://api.target.com/workspace/user_balance

4. This is how I was able to get all the details as a low privilege member.

Reward : 500USD.

While after this, at last I reported an origin IP vulnerability due to which the domain and features were accessible directly through the IP. Leading to complete bypass of their cloud flare firewall. I was also able to visit some endpoints which were not accessible through their domain but can be accessed using the Origin IP that I found.

For this simple vulnerability, they rewarded me 300USD.

It’s not always necessary that you find IDORs, SSRF, XSS etc. Sometime all you need is to understand the functionality and then abuse it in any manner possible.

All of this vulnerabilities reported and were rewarded with a timeframe of 4–5 days. The total reward payout was 2300USD with a very motivational appreciation message from the COO itself. All of this vulnerabilities if exploited together and in wild may cost target company loss of thousands of dollars.

https://www.linkedin.com/in/manavbankatwala/

https://www.instagram.com/manav.bug/

https://twitter.com/manavbankatwala