How I Earned $$$ for Excessive Data Exposure Through Directory Traversal Leads to Product Price Manipulation

Mohamed Shibil
3 min readMar 3, 2023

--

Hi Folks 👋,

This is my second small write-up✍️. This time I am writing about the first bounty I received from a private program. Let’s say our domain name called Redact.com

API3:Excessive Data Exposure

Excessive data exposure is a vulnerability that occurs when sensitive data is exposed to an unauthorized user or application. This can include data such as passwords, credit card numbers, social security numbers, and other personal information. This type of vulnerability can occur when an application is not properly configured to limit access to sensitive data, or when an application does not properly encrypt the data before it is stored or transmitted. This can allow malicious actors to gain access to data that should be kept private.

Source

Since Redact.com having Medium scope, I started with subdomain enumeration and among them only a few was in scope and rest belongs to third party domains.

Coming to the main application, I went through the each functionality to get an idea how the application works.

Attack Scenario: 🛠

They have couple of products in the application which is used to organize the documents. So I thought of checking their Product Purchasing Flow.

First I fire up Burp suite then select a product and added to cart by intercepting the cart requests. I checked each request’s responses but didn’t find anything interesting. After going through all the requests I am done for that day 🌃 !

Very next day with a fresh mind again I focused on the same scenario carefully. Then I noticed one of the requests among adding to cart has a parameter base

base=https://www.redact.com

and another parameter next in the URL !

next=https://www.redact.com/cart?sku=0000000

Then I was started to playing with these parameters one after another to find something special. Interestingly the base parameter was unlocked by throwing at “ /../../../../../../ ” payload via simple Directory Traversal !!

This landed us to another subdomain which exposed the Sensitive Information in JSON format 🔎

https://api.redact.com/numericalvalue/cart/list.ext?id=

Here goes the Magic Spell ! !

Excessive Data Exposed

I checked its response and found 👾 Excessive data including the product’s distinct coupon codes, id, Clients who received personalized discount was exposed.

Then what I did was, just copied one of the Coupon code and entered the same code during check out and I got the discount to purchase the product. I tried each and every coupon code and finally got a Coupon code which 👾 “offers 100% discount” and I applied that code in the coupon code. Instantly the price changed to 000.00 for their Pro Product. So I can able to purchase it Free of cost!

After Applying the 100% Coupon code for purchasing pro edition

For reporting this vulnerability, I’ve been 🎯 awarded with $500 💰 and got the appreciation from the client as well !

Bounty Received !

Happy to secure !

Thank you 🙏🏻

--

--