Photo by Arget on Unsplash

Recently Discovered Several Bugs in a Private Program

Raihan Biswas
2 min readMar 3, 2024

--

Hello Hacker, I’m Raihan, also known as zapstiko on the Internet. I’m from India, and I recently discovered several bugs in a private program.

Bug Name

  1. Hard-coded cred found in Js file
  2. Information Disclosed in Response
  3. Insecure Direct Object Reference

Finding Section

Before beginning hunting any program, I use the Debugger in Firefox to analyze the js file. As I examined the JS file, I discovered Hard-coded cred in js file, but it’s encoded from, so I can see that it’s Base64. To confirm, open a new tab, search for CyberChef, copy the hard-coded cred from the js file, and input it here. After decoding the cred, try to log in, and I’m lucky, it works. Log in as a regular user. Then I attempted to several bugs in the login form, such as SQLI, Auth Bypass, XSS, and username enumeration but sadly not working.

A few hours later, all of a sudden I had an idea. I am aware that sometimes requests don’t reveal secret parameters. That's why I capture login request with valid cred through Burp Suite and “Do intercept” and forwarded requests repeatedly. It’s not getting interesting, but I discovered the endpoint “profile.php” sent to the repeater and used “Param Miner” to find a parameter. Fortunately, I found the parameter “useid” sent to the intruder and Brute-force with a random value “1–100” and saw that the response showed me “200 ok” send to the repeater and, boom! got admin information showing in response. I stopped thinking and was thrilled to create a report and send it to the company. After finishing this, I memories every step of the process. but I forgot that, I login using a regular user cred, but I found another admin information through a parameter. After a while, I smiled for myself and changed “userid” value “1” to “5" And received another information that reported another bug (IDOR).

We appreciate you reading this article, and if you have any questions, please ask. I’m mostly active on LinkedIn and Twitter.

--

--

Raihan Biswas
Raihan Biswas

No responses yet