The target was a company that deliver financial solutions to corporates and institutions.
At first I used subfinder to find subdomains for the target and saved the output.
Then I used orwa tool to find endpoints for the subdomains on virustotal its name is virustotalx.
After that I noticed endpoint with a subdomain like this https://portal.redcated.com/onboarding
It was like a portal for the users to login via link sent to their email then they fill the form details and the docs needed ,submit it and the program employes well review the submission and the docs to approve the financial status.
I noticed when editing or submitting forms the request was sent to another subdomian hosted on the original domain with A form id for the target And it uses the service of the third party as the third level domain so it was like https://thirdparty.redcated.com
This was my first time encountering this third-party service for forms submission so I went to the third party site and created an account to understand how it works and know the hidden endpoints in it.
Now after navigating through the third-party service as a user I noted some endpoints One of them was endpoint that retrieve all the roles in the Org without any authorization. Tried it on the target and it disclosed all the roles in the Org
But still no impact till now something is missing. When I tried the login endpoint found from the third-party service on the target It was not found. So I used ffuf for fuzzing to find any endpoint found on public.
ffuf -u https://third-party.target.com/FUZZ -w wordlistBut didn't find anything. I tried more fuzzing with different wordlists but nothing again then Remember the form id?. I fuzz after it with the my user jwt token of the target and what I found was really the start of the bug.
Now we have the admin Policy , the groups in the org ,the editors also But the most important one was the manage endpoint. This was login endpoint.
But I don't have an empolyee account and when I tried to click on register it wasn't working So I removed login from the URL and typed register and yes I was redirected to the register form. I created an account but still I had a limited access cuz my role was anonymous. I tried to escalate my privileges but nothing worked. We are not done yet.
Here were things get more exciting when logging in with my anonymous account I noticed endpoint that retrieve my role from the server so I tried to manipulate the response and put my role as an admin and yessss the UI changed and I had more endpoints accessible but I couldn't create actions But the most important part that there was A url form that was not accessible were the employees use between them I was able to access it and share it and also another endpoints that retrieve confidential Info.
Finally I rested and reported it tbh I got bored from it cuz I wanted to have an admin access but they were securing it well.
And they awarded me with $$$ bounty and $$$ Bouns.It wasn't that much.
And finally alhamdulillah.
My Linkedin: https://www.linkedin.com/in/momen-ahmed-a34038265/