How I Earned $$$ for Excessive Data Exposure Through Directory Traversal Leads to Product Price Manipulation
Hi Folks 👋,
This is my second small write-up✍️. This time I am writing about the first bounty I received from a private program. Let’s say our domain name called Redact.com
API3:Excessive Data Exposure
Excessive data exposure is a vulnerability that occurs when sensitive data is exposed to an unauthorized user or application. This can include data such as passwords, credit card numbers, social security numbers, and other personal information. This type of vulnerability can occur when an application is not properly configured to limit access to sensitive data, or when an application does not properly encrypt the data before it is stored or transmitted. This can allow malicious actors to gain access to data that should be kept private.
Since Redact.com having Medium scope, I started with subdomain enumeration and among them only a few was in scope and rest belongs to third party domains.
Coming to the main application, I went through the each functionality to get an idea how the application works.
Attack Scenario: 🛠
They have couple of products in the application which is used to organize the documents. So I thought of checking their Product Purchasing Flow.
First I fire up Burp suite then select a product and added to cart by intercepting the cart requests. I checked each request’s responses but didn’t find anything interesting. After going through all the requests I am done for that day 🌃 !
Very next day with a fresh mind again I focused on the same scenario carefully. Then I noticed one of the requests among adding to cart has a parameter base
base=https://www.redact.comand another parameter next in the URL !
next=https://www.redact.com/cart?sku=0000000Then I was started to playing with these parameters one after another to find something special. Interestingly the base parameter was unlocked by throwing at “ /../../../../../../ ” payload via simple Directory Traversal !!
This landed us to another subdomain which exposed the Sensitive Information in JSON format 🔎
https://api.redact.com/numericalvalue/cart/list.ext?id=Here goes the Magic Spell ! !
I checked its response and found 👾 Excessive data including the product’s distinct coupon codes, id, Clients who received personalized discount was exposed.
Then what I did was, just copied one of the Coupon code and entered the same code during check out and I got the discount to purchase the product. I tried each and every coupon code and finally got a Coupon code which 👾 “offers 100% discount” and I applied that code in the coupon code. Instantly the price changed to 000.00 for their Pro Product. So I can able to purchase it Free of cost!
For reporting this vulnerability, I’ve been 🎯 awarded with $500 💰 and got the appreciation from the client as well !
Happy to secure !
Thank you 🙏🏻
