Easy Money from the Most Trivially Easy Broken Access Control
Hello, I am Abda11aTarek. Some of my friends asks me about how I achieved a listing in the Top 10 on Bugcrowd’s leaderboard for P1 and P2 vulnerabilities in November 2023. I want to explain that Bug Hunting is not difficult, and even if you are just starting in this field, you can find vulnerabilities and earn money. Therefore, I will write a write-up about the most trivially easy broken access control vulnerability I have encountered.
Initially, I can’t explain on the real site because the site’s policy doesn’t permit writing about any vulnerability, even though it has been resolved. Therefore, I created a hypothetical site to demonstrate the vulnerability.
Let’s assume our website is named AnimeHunter.com, and to access and watch anime, one needs to be a premium user. Upon opening the site, this is what we see:
Notice anything interesting? The content of all anime is retrieved. We can get it from the source code. So, what’s happening here?
After intercepting the requests, I found that the content is successfully retrieved, and then the website sends a request to a third-party service with user information. This third-party service checks if the user is premium or not, and if not, blocks access to the content.
and this is third-party request
So, I simply dropped any request sent to the third party, and then I could use the web application as a premium user. XD
This is the most trivially easy broken access control vulnerability I’ve encountered.
