Business Logic Flaw in Curve App [Bug Bounty]

Business Logic Flaw in Curve App [Bug Bounty]

Hi. Here comes another write-up on one of my bug bounty findings (This issue was already fixed and publicly disclosed). This time it's about "Business Logic Flaws". When ever I target any application, looking out for "Business Logic Flaws" is one of the top 5 attacks in my checklists.

Note: I want to explain this vulnerability in a more of a descriptive way which includes snapshots, video POC, etc. This could be little longer write-up.

I've spent many days only to understanding the application and then one fine day I have decided to start testing it rigorously. As I said on my top 5 checklist "Business Logic Flaws" is one of them. So I started fuzzing around entire application but no luck. So, my back up plan is to read the application documentation thoroughly and then fuzz accordingly. Below one point caught my eye. i.e.,

In my mind, why can't I add more retailers in "Curve Blue" scheme rather than 3? and then I started implementing my test case. Below is the functionality, where a user can select 3 retailers at a time and once you confirm it, you have no chance to switch to other retailers (especially in Curve Blue & Black schemes).

Navigate to "Earn Curve Cash" tab
You can view all your selected retailers here

When hit "See Retailers", below endpoint triggers and in the response it displays all your selected retailers.

Vulnerable Request
Response

Below are the list of retailers which I have already confirmed in my account which has "Curve Blue" scheme.

List of selected retailers

My plan is to bypass the retailer limit and add more retailers to my account. So I went back and intercepted the above vulnerable request and response again.

Intercepting vulnerable request again

Modified the previously shown response content to below and turned off the interception:

Modified response

Shockingly, I was able to select the retailers again even after confirmation.

Selecting retailers again
Confirming new retailers

However, I was not successful on bypassing the retailer limit, but I was successful on using all the retailers associated with Curve app and avail cashbacks on every retailer.

Lis of modified retailers 

For this Curve app marked this issue as medium and rewarded with $500 and another $500 bonus (Total $1000).

Conclusion: There's only one way... Understand the application thoroughly and the start fuzzing around.

Below is the disclosed report URL and video POC link:

Hackerone: https://hackerone.com/reports/672487

Video POC: https://www.youtube.com/watch?v=PL-doW_xNTo

Hope you like it :) Signing off

Show Comments