SubOwner - This tool is designed to check for subdomain takeovers by resolving the CNAME records and verifying them against known vulnerable services.

 

Like all bug hunters I always hunting. When I was watching youtube or movie my terminal is fuzzing. If I search anything on the internet and if there is a website acting differently, this will add one plus hour to my night shift :). And that night I saw a movie review site then immediately started to check key functions of site like register, login, logout, update profile etc. As you can imagine its very fast process because you expect nothing than a little hint. But this time was different, it was too fast too easy and too good. There is a 3 easy step for this bug and I believe everyone here can execute it but maybe you guys believe that this kinda of bugs are not seen in real life. ( I was thinking same as you until I find this). Lets step up and start.

1- Register and Login

Press enter or click to view image in full size

This is a normal register request with 3 fields (username,email and password) but host subdomain was api. After successful registration I logged in. And Login response was:

Yes. We have to inject "role":"ADMIN" to somewhere :).

2- Register with Admin role:

I register the site again with this request from Burp Suite.

We got no error. Response was 201.

But When I login, role was still user. Then I went to profile page to check update function.

3- Update profile and inject role paramater

I updated my profile and this was normal request.

host is api.redacted.com/v2/users/<user_id> and json fields was not important but this request was cut out for injection. And I added

"role":"ADMIN", and hit enter.

Yes. It really worked and I wasn't expecting it. Suddenly I reached every admin function. It was very high impact bug. But this was not under the Bug Bounty program so I find all admin account and send them a mail about this bug and I wrote detailed :) bug report. Also I was expecting nothing because most of website owners don't care. They just fix the bug and never answer the mail. But this time was different they responded very quickly and they mailed me like:

"We are very appreciate your work but we have very low budget so accept our apologies for this amount and send your bank account detail".

This 130$ was very easy and ver fast. It was very low according to impact but this is better than zero.

For me this dopamine hit was worth more than 1000$. This kind of findings and bounties make you keep going.

This is the End :)

Thanks for reading. If you want to read more write up like this follow me and share your thoughts on comments section.

#cybersecurity #privilege-escalation #bug-bounty-writeup