[Leak] Can I take the user information, please?!!

-

Hi again it's me :P,  I found a cool bug on a private program I wanna share with you.

 Like every time I start testing on a target I opened my Burp Suite and start visit every link and send a requests to the website to collect the endpoints, and paths and when I try to add a user on my account I write test on the name and I found that the page send an automatic request to an endpoint to check if this username available or not the endpoint form is

 https://target.com/api/user/endpoint_name?q=

the value of username which you write on the input field will be added to the q parameter and the server will send a post request to the endpoint the problem here is the response which gives me a lot of information about this username like email, phone number, UUID, company's information, and a lot of other information almost all of the account information except password, it was cool for me but it's not very cool because I should get the username to get this information I continue testing and get some endpoints I found a very coooooooooool thing another parameter on the same endpoint which is size you give it a size of output information what this means? if my output is 1000 I just wanna see 10 outputs now I will use this parameter like that size=10 it will show just 10 outputs, not all 1000 what is the cool thing here? the cool thing is when I set the q parameter empty and give the endpoint a size it will respond with users' information too if I give the size parameter a value 100 the endpoint will response with 100 users information like I said before almost all information of the account, it was a cool bug I like it so much :P, so if I used this link to get the information

 https://target.com/api/user/endpoint_name?q=&size=100


in the end, I hope this is good for you and thanks for reading my topic, Goodbye.

Comments

  1. UnknownNovember 9, 2019 at 9:18 PM

    hi. my name is mehdi. i read write-up in CTF write-up.
    it is very good. you are professional. well done. may you help me.
    my job is penetration tester but i am not professional. i have knowledge in information security and web security and mobile security. i want become professional in bug-bounty. please help me.

    ReplyDelete
    Replies
    1. FlexApril 4, 2020 at 1:12 AM

      you can talk with me here https://www.facebook.com/flex0geek

      Delete

Post a Comment

Popular posts from this blog

Exploit & Debug Looney Tunables CVE-2023-4911 Local Privilege Escalation in the glibc's ld.so

-
Image
Hoi, let's try to debug and explain CVE-2023-4911 which is a buffer overflow in the glibc loader my debugging and exploit tested on Ubuntu 22.04.2 (Jammy Jellyfish), you can read the analysis and more information from the Qualys Security writeup . POC to check if you are vulnerable or not env -i "GLIBC_TUNABLES=glibc.malloc.mxfast=glibc.malloc.mxfast=A" "Z=`printf '%08192x' 1`" /usr/bin/su --help My exploit POC video takes 5m but I speeded up the video Preparing let's disable ASLR and debug our exploit echo 0 | sudo tee /proc/sys/kernel/randomize_va_space you have to know (from qualys security): On Linux, the stack is randomized in a 16GB region, and our environment strings can occupy up to 6MB (_STK_LIM / 4 * 3, in the kernel's bprm_stack_limits()): after 16GB / 6MB = 2730 tries we have a good chance of guessing the address of our environment strings. using the buffer overflow vulnerability in the tunables we will overflow the link_map struct wh
Read more

Let's Analysis STM32F103 Chip Firmware from Attify

-
Image
( بِسْمِ اللَّـهِ الرَّحْمَـٰنِ الرَّحِيمِ ) Let's start our blog. As we know any IoT device should have a firmware to run it and there is a thought that it is secure by default because it is in a board, but we know that we can dump this firmware, our firmware know is already shared with us something like training to learn basics of reversing firmware. you can download the firmware from here . if we run the file command on the firmware we will find this "STM32F103C-firmware.bin: data" and if we try to get the architecture using binwalk it will return empty result "binwalk -A STM32F103C-firmware.bin" but we don't need this because it is a famous chip and we can know what we want from google. After searching for the chip name STM32F103C we will open its default page you will know that it run using "ARM Cortex M3" we will need that later, it is time to analysis using Ghidra. Analysis Dropping the firmware file to Ghidra but it will not detect anything
Read more

Using CSRF I Got Weird Account Takeover

-
Image
Hi guys, I'm back again this bug was interesting and weird let's start. let's refer to the target's name as (target.com) I start to test the domain like what I do in my testing, I used sublist3r to enumerate the subdomains, in one of these subdomains I start to test the password reset function I sent a request to my email to change the password, i opened the link and sent the request to change the password but i used my Burp to see the request and it looks like that there is a token for CSRF I tested this token and deleted it but the change happens, that means there is no filtring for this token there is a CSRF bug here and there is another thing the token of reset password not in the request not in the cookies or in the body so i think it's in the sessions and how i knew that? I test the function of reset password I sent another link to my account and i sent the same request but it returns 403, I opened the new reset link bug didn't use it and I go b
Read more