Hey Hackers, I am Parth Narula. A penetration tester, bug hunter, red teamer and overall a security researcher. I live for those moments where a bit of out-of-the-box thinking cracks open a critical vulnerability.
This is the story of a business-logic–related vulnerability where an attacker can make all reviews disappear as an impact.
So far, I have wrote about IDORs and Privilege Escalation issues in my previous 10 articles. If you haven't read them yet, please do. Now, let's talk about one of my other findings.
This bug was found in the same company where I earlier discovered multiple IDORs and other vulnerabilities. The article for that is available HERE.
Let's assume the target is: https://REDACTED/shop-XX1865
On this page, we can see that the shop has an overall rating of 4.8 with 250 reviews. (You will notice the review message "hack message", which was posted by me from another user's account due to an IDOR. I have already explained that in the linked article.)
When I tried to rewrite a review and captured the API request to/api/reviews/save, the request looked like this:
{
"stars":5,
"message":"hack message",
"userId":"7618749",
"bookingId":"89563870-NSZXWR9EM"
}Everything looks normal here. We can change the message, stars, userId, etc. When this request is sent, the server responds with 200 OK and "saved": true.
While testing, I got curious and thought: what if I change the stars value to something out of range, like more than 5?
So I changed "stars": 5 to "stars": 6 and replayed the request. The server still responded with 200 OK and "saved": true.
After that, I refreshed the shop page.
Now, instead of showing reviews, the page displayed the message: "Not enough reviews yet"
All reviews were gone. At first glance, it looked like all reviews had been removed, which could seriously damage a shop's reputation and business.
To test further, I replayed the same request again, but this time I set the stars back to a valid value: "stars": 3
The server again returned 200 OK. After reloading the page, all reviews came back :)
This confirms that an attacker can hide or restore all reviews for a shop just by submitting a review with an invalid or valid star value.
This makes the issue dangerous, as it can be abused to harm any shop owner on the platform. Behind this, there is another bug, which I will explain in a future article, if you support this one ^_^
Lessons learned
- Always test out-of-range values for numeric parameters like ratings.
- A 200 OK response does not mean the application is working correctly, always check the final impact.
- Small validation issues can cause large business impact, especially in trust-based features like reviews.
I hope you learn something new. Follow for more amazing articles and give claps if you like this one :)
Need expert pentesting services? visit https://scriptjacker.in or let's collaborate on your next project! 🤝
Want to learn from my experiences? Check out my articles on https://blogs.scriptjacker.in