[Business Logic]
Bypassing Nickname Feature

- 1 min

Summary:

Hello Guys, This is my first time to write a blog and I want to say sorry ahead for my bad english :sweat_smile:

Last 3 months I found a simple Logic Bug one of public program on Bugcrowd which I can modify the given nickname to me to any nickname I want. During the account creation there’s already a nickname assigned to my account which is designed as an unchangable. However I noticed that when changing the details of my account they used JSON format. My guessing instinct was so accurate :laughing: I tried to add nickname parameter and thinking that what if I will make a request with adding nickname parameter and see if the nickname will change. The JSON request with nickname parameter was accepted in the response. Boom! I can bypass and changed my nickname whatever I want.

Proof of Concept

  1. Create/signup an account here: redacted.com
  2. Assuming the we have already created an account, now go to redacted.com and edit your details.
  3. Intercept the request and append this parameter called Nickname

Orginal Request

{“name”:{“given”:”redacted”,”family”:”redacted”},”location”:”redacted”,”bio”:”redacted”,”phone_number”:”redacted”}

Edited Request

{“name:{“given”:”redacted”,”family”:”redacted”},”Nickname”:”BypassedNickname”,”location”:”redacted”,”bio”:”redacted”,”phone_number”:”redacted”}

Timeline

Title of Report: Bypassing Nickname Feature redacted.com
Date of Report: 11 May 2019 04:43:41 UTC
Date of Resolved: 05 June 2019 12:53:44 UTC
Bounty Paid: $50

I hope you enjoy this write up and always remember:
Think outside the box!
Thanks

Kent Bayron

Kent Bayron

Hacking | Travel | Gratitude

rss facebook twitter github gitlab youtube mail spotify lastfm instagram linkedin google google-plus pinterest medium vimeo stackoverflow reddit quora quora