Hi. Here comes another write-up on one of my bug bounty findings (This issue was already fixed and publicly disclosed). This time it's about "Business Logic Flaws". When ever I target any application, looking out for "Business Logic Flaws" is one of the top 5 attacks in my checklists.
Note: I want to explain this vulnerability in a more of a descriptive way which includes snapshots, video POC, etc. This could be little longer write-up.
I've spent many days only to understanding the application and then one fine day I have decided to start testing it rigorously. As I said on my top 5 checklist "Business Logic Flaws" is one of them. So I started fuzzing around entire application but no luck. So, my back up plan is to read the application documentation thoroughly and then fuzz accordingly. Below one point caught my eye. i.e.,
In my mind, why can't I add more retailers in "Curve Blue" scheme rather than 3? and then I started implementing my test case. Below is the functionality, where a user can select 3 retailers at a time and once you confirm it, you have no chance to switch to other retailers (especially in Curve Blue & Black schemes).
When hit "See Retailers", below endpoint triggers and in the response it displays all your selected retailers.
Below are the list of retailers which I have already confirmed in my account which has "Curve Blue" scheme.
My plan is to bypass the retailer limit and add more retailers to my account. So I went back and intercepted the above vulnerable request and response again.
Modified the previously shown response content to below and turned off the interception:
Shockingly, I was able to select the retailers again even after confirmation.
However, I was not successful on bypassing the retailer limit, but I was successful on using all the retailers associated with Curve app and avail cashbacks on every retailer.
For this Curve app marked this issue as medium and rewarded with $500 and another $500 bonus (Total $1000).
Conclusion: There's only one way... Understand the application thoroughly and the start fuzzing around.
Below is the disclosed report URL and video POC link:
Video POC: https://www.youtube.com/watch?v=PL-doW_xNTo
Hope you like it :) Signing off