Hi, Am gonna share one of my recent findings in bug bounty (This issue was already fixed)
While performing recon on Curve program instead of concentrating on .apk or .ipa of Curve app, I have focused on web apps which is a completely static site. Even though I tried to perform recon on the website.
The tools which are used are:
- Burp Suite
- JS Link Finder (Burp Extension)
Firstly I have crawled through out the website by enabling Burp JSLinkFinder extension and gathered all the paths, links from the tool output. I tried to hit all the links/paths from JSLinkFinder one by one and found two interesting endpoints "/credit?rc=" and "/usa?rc=". These two endpoints are no where available on the website UI level.
Basically there are two functionalities in these two endpoints, "Join Waitlist" & "Track Position".
You can submit your waitlist by entering your name, email, mobile number and ZIP code.
After submit your details you can track your application position by entering your email ID at "Track Position"
After entering your email address then application responds with your application position number. Observe here that there are no PII information shown on the website UI. There is only position number.
So I've decided to test this endpoint where I guessed that there might be a chance of sensitive information leak.
Below are the steps to reproduce:
- Navigate to https://curve.com/usa and click on "Track Position"
- Enter any email address and click on "Submit"
- Make sure to intercept the request using Burp intercept
- You'll be presented with the below vulnerable request
POST /api/waitlist/us HTTP/1.1
Accept: application/json, text/plain, /
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.97 Safari/537.36
Accept-Encoding: gzip, deflate
- Now send the above vulnerable request to Burp intruder and brute force the email parameter
- You'll now be able to retrieve all the waitlisted users mobile numbers, ID's, address and other sensitive information in the response.
HTTP/1.1 200 OK
Content-Type: application/json; charset=utf-8
strict-transport-security: max-age=15552000; includeSubDomains
x-xss-protection: 1; mode=block
date: Fri, 19 Jun 2020 09:41:26 GMT
X-Cache: Miss from cloudfront
Via: 1.1 1671dd64160321b1f8979341944a5b14.cloudfront.net (CloudFront)
Also tried for the other endpoint i.e., "/credit?rc=" but NO LUCK, where in the response it only gives you the position number and dates but no PII info.
This issue was marked as "Medium" severity and rewarded $1500.
Video POC: https://www.youtube.com/watch?v=Kf2FiG9E6hM
Hope you like this write up :)