This is Abdul Haq Khokhar, Bug bounty and Penetration Tester. I recently participated in a Self-Hosted Bug Bounty Program with a policy of offering a maximum reward of $500 per researcher, regardless of the number of valid bug reports submitted. Due to confidentiality, let's assume the target was 𝐞𝐱𝐚𝐦𝐩𝐥𝐞.𝐜𝐨𝐦.
The target was a delivery service platform with over 5.4 million registered drivers (based on Driver IDs). During my initial testing, I discovered two critical IDOR (Insecure Direct Object Reference) vulnerabilities in the "Modify-Driver" and "Delete-Driver" features. These vulnerabilities posed significant security risks:
1) Driver Account Deletion:
This issue allowed me to delete any driver account, including all 5.4 million registered drivers, by manipulating the `DriverID` parameter.
2) Driver Account Modification:
This issue enabled me to modify sensitive details like the driver's full name, email, and contact number. It even allowed for account takeover, leading to unauthorized access and potential misuse.
Steps to Modify a Driver Account:
Endpoint: https://www.example.com/ng/api/v3/resources/drivers/{DriverID}
Steps:
1. Access the endpoint with a valid `DriverID` (e.g., `5438755`).
2. Replace the `DriverID` in the URL with another driver's ID (e.g., `5438756`).
3. Send a POST request to modify details like name, email, and contact number.
Steps to Delete a Driver Account:
Endpoint: https://www.example.com/ng/api/v3/resources/drivers/{DriverID}/delete
Steps:
1. Intercept the delete request.
2. Replace the `DriverID` with another driver's ID.
3. Forward the request to delete the targeted account.
Here's what the vulnerable request looked like:
POST /ng/api/v3/resources/drivers/[ID] HTTP/2
Host: www.example.com
Cookie: DELETED
.
.
.
Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Priority: u=1, i
{Data}
POST /ng/api/v3/resources/drivers/Driver-ID/delete HTTPS/2
Host: www.example.com
Cookie: DELETED
.
.
.
Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Priority: u=1, iImpact:
An attacker could automate this process to delete or modify all driver accounts, causing massive data loss and service disruption.
Team Response:
Thanks for getting back in touch — I'm happy to confirm the previous bug report. Thanks for flagging the two additional vulnerabilities — historically we've paid $500 per individual reporter, not per bug. I'm impressed by the thorough job you've done, so once we've verified the two additional vulnerabilities I'd be happy to offer a total of $1000 for the three issues identified.
Bounty Reward:
While the program had a public policy of offering a maximum reward of $500, they were impressed by the impact of my findings. As a result, they historically decided to reward me $1,000 for my submissions. We are still in discussions about how we can work together as many IDOR vulnerabilities still exist. I'm fully expecting the full Pentest project. Fingers crossed!
Let's connect on LinkedIn! https://www.linkedin.com/in/abdulhaqkhokhar