Hello friends, I'm tomahawk0ctf. Today, I'll talk about a logic flaw that leads to a High-Severity Information Disclosure.

In an era dominated by AI agents and automated tools, many bug hunters have abandoned manual testing. While I'm not saying AI isn't important, you have to ask yourself: if you only do what everyone else is doing, how will you find unique bugs? You should deserve the bounty before you get it, and that only comes through deep, manual inspection.

The Discovery

While performing a pentest on a target (let's call it target.com), I focused on the password reset functionality. The application uses an API to send an OTP to the user's email.

The original request looked like this:

POST /api/v1/forgot-password HTTP/2 
Host: api.target.com 
Content-Type: application/json
{"identifier":"email1@test.com"}

The Attack Vector: Parameter Manipulation

First, I tried a classic Parameter Pollution by sending two identifiers:

{"identifier":"email1@test.com", "identifier":"email2@test.com"}

Result: The server simply processed the last email as the primary one and sent the OTP there. No bug here, just standard behavior.

The Turning Point: Function Confusion

I decided to push further by providing an unexpected value — a JSON Array instead of a String. This is a technique designed to confuse the backend function's logic and test how it handles different data types.

The modified request:

---

POST /api/v1/forgot-password HTTP/2 
Host: api.target.com 
Content-Type: application/json
{"identifier":["email1@test.com","email2@test.com"]}

---

The Result: 500 Internal Server Error & Data Leak

The server couldn't handle the array and crashed, returning an HTTP 500 response. Because Debug Mode was active, the response body leaked highly sensitive server data through a TypeError stack trace:

{ "message": "Ichtrojan\Otp\Otp::generate(): Argument #1 ($identifier)
 must be of type string, array given, called in /var/www/html/target/app/Http/Controllers/Api/V1/User/AuthController.php on line 65",
 "exception": "TypeError",
 "file": "/var/www/html/target/vendor/ichtrojan/laravel-otp/src/Otp.php" }

What did we find?

  1. Full Path Disclosure (FPD): Revealed the internal directory structure (/var/www/html/target/).
  2. Internal Logic: Exposed the exact controller and line of code handling the request.
  3. Library Versions: Identified the use of ichtrojan/laravel-otp.

Final Thought

This bug is a reminder that manual testing is still king. Don't just rely on your tools; try to feed every parameter unexpected values (arrays, booleans, nulls). You never know when a function will get "confused" and hand you the keys to the server.

I hope you found this write-up useful.

Happy Hacking! tomahawk0ctf