Hello guys!! Hope you all are doing good.. This is my first ever writeup/article/blog whatever you like to call it. So let’s get startedddd…
Before starting my hunting process, I like to maintain a .txt file where I jot down what’s in scope and what’s not in scope. Also I have a checklist where I have listed all the bugs that I would look for based on the target. It is considered as a good practice and you can make one here Notion.so.
So I was testing on a website lets say redacted.com. This was a job finding website wherein you can create an account, add your details (name, address, contact, DOB ), upload your resume and apply to various companies.
So I fired up my Burpsuite and started browsing through the website as a normal user getting familiar to the functionalities offered. Once I completed my browsing I had a look at the HTTP history as to see what params and endpoints have been collected.
One endpoint instantly caught my attention and thought this need some testing. The endpoint was /api/v2/candidates/me
This endpoint basically fetched the user details. The first thing that strikes my mind after looking at this was to test for IDOR hands down!! So I started adding numbers by replacing “me”. Also replaced “me” with admin, Admin, accounts, basic names, tried changing version to v1 but no luck..
I then remembered that SecLists one of best curated wordlists contain some common api_endpoints.txt file. So I thought why not try some fuzzing. So I started Burp Intruder, loaded the api_endpoints.txt file and started the fuzzing. AND to my surprise I found a 200Ok on /api/v2/users. I checked the response and it leaked PII of more than 7k users on the website!!! I was like..
Reported and awarded €€
Takeaways: Fuzzing is your best friend :)
Also feel free to get in touch with me, would be happy to share and learn. I will be back with a new writeup soon. Until then ciao..!!
Pratish Bhansali - Prakash College - Mumbai, Maharashtra, India | LinkedIn
View Pratish Bhansali's profile on LinkedIn, the world's largest professional community. Pratish has 1 job listed on…