Skip to main content
Sicksec
  1. Bug Bounty Writeups/

How I Scored 2K Bounty via an Easy IDOR

·284 words·2 mins
Bug Findings Bugbounty
Sicksec
Author
Sicksec
Finding bugs in production. Breaking APIs for fun. Passionate about Web Security, API Testing, GraphQL, and REST APIs.
Table of Contents

Hello Security Researchers

In this writeup I will talk how I was able to find an IDOR in one of the largest Russian Company nothing other than Mail.ru So approaching targets with huge scope can be frustrating sometimes since you don’t know where to start, For me I started looking in the main scope of Mail.ru Games

  1. I fired up Burp
  2. Created an account
  3. Adding things in my cart
  4. Viewing the blog
  5. Creating a support ticket

Before testing anything the ticket link looked kind of suspicious since it had /ticket/INTEGER

ticket

Let’s breakdown what can go wrong here We have few parameters project_id/user_id/sign and the ticket number First thing I did is to remove the sign which is the signature and see if I can access it from an unauthenticated browser

This looks easy no way that works right ?!!

img2

Well you’re wrong it worked and I was able to see my ticket and the conversation with the agent and also any attached file, I could also speak in the conversation as anonymous user 😁

Further testing showed that changing the ticket number can allow viewing others ticket and changing the user_id can allow viewing other ticket of that matched ID

went and wrapped up a good report with my friend , and it was triaged within minutes an paid after few days

bounty

Takeaways
#

  • Don’t be afraid of diving the Main app it’s where all the juicy things exist
  • Never underestimate yourself from finding bugs everyone has a unique view for the target
  • Don’t be discouraged if you didn’t find a bug today tomorrow you will

I hope you enjoyed reading this and I will catch you in the next one

Stay curious ❤

Related

How I RCE'd the Largest RU Company

·281 words·2 mins
Bug Findings Bugbounty Rce
Hello Security Researchers In this writeup I will explain how I was able to find RCE in Mail.ru which is considered the world largest internet company, Before starting to hack I was wondering on how I should approach the target and what most people would miss in the program, they have a huge scope which means it should be something out there sitting for me to find I started looking with the Favicon using this script Where I replace the link with the Mail.ru favicon, once generate I go to shodan.io and search for it

How I Scored 1K Bounty Using Waybackurls

·274 words·2 mins
Bug Findings Bugbounty
Hello Security Researchers In this write-up, I want to share with you a finding that I discovered in a public bug bounty program that ended up paying me 1K just using a single command on the terminal I won’t be able to disclose the name of the program since the leak was huge and they are still merging all the previous algorithm they used before to a new one and the deprecated API is still reachable

Abusing Url Shortners for Fun and Profit

·484 words·3 mins
Bugbounty
Hello Security Researchers Have you ever encountered a bug where it’s hard to show impact due to the lack of enumeration of a certain value of a parameter ? Well if yes, In this writeup I will talk about how you can find and abuse URL shortners to ATO or Information disclosure Many companies use URL shortners to send private invite and passwordless logins and things along those lines and it’s really difficult to guess or to brute these but there’s always a way to do things by thinking outside the box 📦