I am blackmambaa001 a security researcher/Hungry learner and bug bounty hunter with a strong interest in web application security, especially authentication and session management flaws.
Also, my bounty story is very interesting. I can't talk about it while I'm stressed from the trip, now let's go to our title.
I started learning bug bounty driven by curiosity and a desire to understand how applications work internally. That curiosity eventually led to my first valid bug bounty and my first Critical vulnerability.
This article shares the story of that experience.
Ready with drink aah.. Bubble tea + french fries
About the Target Application
This is how it starts. This is an online product selling site. This is something related to the most popular game, freefire. There was a strange freeze when logging in, and many other things came up (like bought notifications without register etc..) and then I immediately started checking it.
Next, I went to the registration section with my kit on.(burp + temp mail)
Idk any information of this application and that my first step not recons, findings.. direct jump to test,
In register section, I intercept request that related to email verification before fill others
Booooom…! flag captured OTP code send with req.
This is something that many bug hunters don't think about or consider, but I'll show you what you can do with it.
Okay, we're getting a little off topic now, let me tell you how one weakness can affect the entire system.
A little reminder I'm writing this as a story because I think you might not understand if I just say what I need to say in short. I'm writing this so that you can see how I thought about it, starting from a small point and going all the way to the point where I hacked the entire system.
All I did was complete my registration and create my profile. Then I started researching this entire application. What technologies are used in it, how things run inside, etc. Then I found some really cool things, you would think that to find these things you must know the application very well.
- There are several payment methods to make a payment, and the user who registers will receive a separate wallet for each payment method.
If we understand further, the payment options in this case are Binance Pay, and what happens there is not that when we select that option, the account details of the relevant seller are entered and we make a transaction through Binance. What happens here is quite the opposite. When a new user registers, that user gets a wallet related to Binance/ezcash. If the user cannot make transactions through a visa card later, he can contact the relevant site owner/admin and recharge the relevant wallet and can purchase goods through it at any relevant time.
* For example: When I contact the admin and give him $10, he puts that money in my wallet in my profile, so when I buy something, I can buy it through that option.
Next thing, I said I started looking seriously. This time I found something else interesting, and I made a small payment.
Boom…! IDOR
invoice.php?order_id=13034 This is the invoice related to my payment. Later, when I was checking the other emails, I noticed something else, The relevant user's emails are shown in the section related to this payment, so I can get that account because we first found it because of the OTP Flaw bug 😊
But now you think what is the benefit of taking the account of such users?
Honestly, think about my next step from what I have said so far. Keep your answer in mind and read below. What you really thought is below. Trust me, your thinking pattern is exactly right. You are not an ordinary person. haccccrrrrrrrr…
Finding users using Wallets and searching for their emails
Hey, what you see next is the payment method used by each user to make the payment on each relevant invoice. Now, do you think what I thought?
Then I was able to find the last order id by the order id. It was a bit big like 130##. What if I go to 13000+ like 2500, 2501, 2502 …..? So I decided to write a python script for this. I wanted to find out the users who had purchased one or more services and who had made payments through other methods instead of using a visa card. Then I used it to do what I needed.
find…!
So now we can buy things by getting the relevant email from the ID, bypassing the OTP FLAW, and using the relevant user's wallet.
So, if this continues like this, I will become a writer. This is my last post, and I must say that I decided to tell this only in this section. In this system itself, I took over the entire system like payment bypass, admin dashboard access, price manipulation, business logic bypass.
I'll post that too. But if you want me to change my writing style and make it more professional, let me know and I'll fix the flaws in the next post.
follow for real world hacking walkthroughs :]
Thank you,