Welcome to Day 16/32.
I’ve got some good news — a bounty was paid last night and I managed to escalate a vulnerability from a year ago that was informative to a medium.
I’ll first start with the bounty payment, I was about to go to sleep when I received an email notification about a report I’ve been waiting on to get paid(I’ve mentioned it before, I think). I was expecting a $100 considering that aligned with the severity the team decided on, but things took an unexpected turn (for the better).
As you can see from the first screenshot, I got paid a lot more than the $100 I was expecting for the report. I usually don’t like getting into numbers when it comes to bug bounty, but I’ll make an exception for this case. The report is marked as low and the equal payment for that is $100, but here’s what’s different about this report — I was able to leak user PII data through a vulnerable implementation of a certain endpoint(I obviously cannot reveal this) but due to it not being a vulnerability on the company’s server it was marked as low, and the impact was worth the $935 bounty (maximum payout on the program for these type of vulnerabilities).
There I was in the morning, I randomly had a report from a year ago on my mind, this report was unfairly closed as an informative. I now had an idea of how I could escalate this, I went on to put my theory to the test and chained that report with new bugs I had in mind, It turns out I was right, so I immediately got to writing the report, finished it, and submitted it. We’ll see how that goes, I’ll keep you updated.
Lastly, after I finished reporting I suddenly remembered one of the requests I came across, what if I changed the request method? I sent out an OPTIONS request, and it came back with a GET and HEAD only, but I ignored this and went on to use PUT, it worked, so I switched my “id” in the request to another “id” I own (not tied to the current account) and it worked. There was a problem though, the response gave a JSON error then I thought to myself, maybe I should send this to “Param Miner” to find parameters, and here are the results
as you can see, those are really interesting results, but the most interesting parameter to me was “Name” so I went on and changed that value and
Access denied. Even though I did not get an IDOR, I’m happy with the fact that I was able to discover the existence of this “hidden” endpoint through changing the request method and finding its JSON parameters.
Happy hacking. See you tomorrow❤