I felt like there were no more bugs left after winning € 2000 … But an email worth €750 changed my mind
Hello amazing hacker, i hope you are doing well! Today i am going to tell you the story of how i completely exhausted my target … and then some. Not only did i already receive € 2000 from this target in various medium vulnerabilities that i reported, i managed to grab even more after i had already fully tested the program. Here’s how i did it.
This was a target i loved right from the start, it had all the functionality that i loved and seemed tailored made for me. I started up burp suite, set up my scope and started clicking around.
The more i saw, the more i fell in love with this target. It started out with my target asking me if i wanted to invite other people into my organization. Whenever a target asks me this, my spidey senses go tingling. This is usually a sign that there is Broken Access Control (BAC) possible or at the very least multiple ways of testing for IDORs.
I got to work in creating two companies, we will call them “Yoogle” and “Gahoo” to make things easy, but these are just for example and were not my actual targets of course, nor were the companies that inpsired their named. My target was heavily centered around B2B solutions.
For each company i created two new users. I named them after the role i gave them “Yoogle — Admin”, “Yoogle — Employee” , “Gahoo — Admin” and “Gahoo — Employee”. I got to work first testing the most impactful things i could think of. This is a good way of thinking in my opinion because it allows us to both help the company in the most impactful way and give us the best reward.
Inter-tenant IDOR testing
When two accounts share the same servers, that’s sometimes referred to as an inter-tenant infrastructure. It’s where multiple “tenants”, also known as “accounts” share the same servers. The servers should only return the users data itself and not from other accounts, if it does, that would be a huge problem due to the enablement of company espionage of course.
I tried to login in “Yoogle — Admin” and opened a new container in my firefox (using pwnFox).
PwnFox allows me to work in one window, but still login into two separat eaccounts by just opening a new tab into what we call a container. This means that all the cookies and session variables are separate from the main firefox window.
In the new tab, i logged in as “Gahoo — admin”. I took the authorization headers from “Yoogle — Admin” and i pasted them into authorize and i started clicking around.
- All your requests will show up in here
- This will show if access control is properly implemented
- Fill in the request header here that takes care of the authentication
- There are some filters i recommend you set:
- Scope items only (No text required): This will ensure you won’t see too many weird non scope related requests
- URL not contains (text): Any request that is supposed to be public information, i try to filter out in here
Interpreting the results
This is what the statuses for (2) mean:
ENFORCED: This means there is no IDOR/BAC. The modified request returns a 403 forbidden or any other error code.
Is Enforced?: This means the modified the modified response did not return an error code, but not the exact same response as the unauthenticated request
Bypassed: THIS DOES NOT AUTOMATICALLY GUARANTEE AN IDOR/BAC! This means that the modified response matches the original response. You still have to confirm whether or not this is intended behavior. More often than not, it will be intended behavior. Whether or not it is, is up to your discretion and this is also part of the reason why i recommend you really know your target well by exploring it before you hack. Always confirm this manually by
- Right clicking the request
- Sending the modified request to the repeater
- Repeating the request and confirming you are seeing other peoples data that is not supposed to be public
I diden’t find any IDOR’s but that did not discourage me, i moved onto the next part.
Next i aimed my arrows at broken access control issues. This is one of my favorite issue types next to XSS. It’s not hard to find but you have to look a lot.
I logged in with “Yoogle-Employee” and used their authorisation headers in authorize. I opened a new containerized tab with PwnFox and logged in as “Yoogle — Admin” and started clicking on functions that the employee should not be able to access. This quickly exposed the weaknesses of my enemy.
This program had a lot of broken access control issues in it, so i reported them all. Most of them worth €250, some €125 but all them medium. Some were dupes, some were informative (It’s the companies call, accept it) and some were N/A because i tested wrong but some were valid as well. All in all i ended up with about € 2000 in bounties from these broken control issues.
I reported all that i could find and i even tested the program twice. After testing it a second time, i made a third pass and i kept on going until i was sure i would not find anything anymore. I found a few more IDOR’s as well which contributed to the € 2000 total but i was pretty satisfied this program was a match for my skills after fixing all the issues i reported.
This left me pretty sad because i liked testing on this target, of coursei did! How could you not like a target that keeps on giving you issues? I was kind of sad but i had to pick another program and move on. It felt like saying goodbye to a friend…
A few months later, i moved on and i gathered a fair few issues on other targets. Most of them were of the same caliber as before … IDOR, BAC but i had now also added Business Logic Flaws to my arsenal of attacks. I made some more mistakes and reported some more crap reports, some were dupes but most were valid. I swiftly moved from target to target, reporting what i could and moving on, testing for at least 8 hours a day and going to bed with my target on my mind. I would wake up and jump on the computer to hack my targets and mow them down like a clean cut lawn… But i could never forget that first real good target.
It’s like that first kiss that you will never forget. It may sound a bit lyrical but these targets leave an impression on me, i find that having an emotional connection and actually caring helps a lot in finding impactful bugs. But then my phone vibrated. I expect the usual spam email or whatsapp message asking me how the weather was over there but instead i got an intriguing email.
The headline read “[Intigriti] Check out the updates to REDACTED”. I jumped out of my chair and ran to my computer to turn it on, this was my chance. This was the moment i had been waiting for. I had a skill set and i could be first to test a new feature, this is the stuff legends talk about. I hacked like my life depended on it, the new feature included requesting an item where a manager had to approve your request. The first thing i could think about was asking for items for other people (IDOR) and to my surprise it worked!
I think i have never opened Intigriti.com faster in my life than on that day. I rushed to write the most perfect report i could and send it, fully expecting the dreaded dupe email. It only took a few hours before that dreaded email came.
I opened my phone with sweating hands and of course, just as i do, it dies because the battery goes out.
I rush back to my computer, turn it on, get through the updates that windows inevitably needs to do and open my Gmail. There it is!
Thank you very much for reading amazing hacker, i hoped you liked this and i hope you will find a Critical bug in the next hour!
Some details have been changed or redacted to not expose any details about the target.