I was able to see all user information by manipulating parameters on the website.
Intorduction
Hello, everyone! Today, I’d like to share my recent experience with a bug bounty program it is a story about a bug whereby manipulating parameters I was able to see all user-related information by changing some parameters in a request I was able to see there user name, id,id_org, name, address, and other some real important information.
What is manipulating parameters
Manipulating the data sent between the browser and the web application to an attacker’s advantage has long been a simple but effective way to make applications do things in a way the user often shouldn’t be able to.
Discovery and Reconnaissance:
For this blog let’s say the website name is anything.com and as all bug bounty hunters we all do basic tasks such as finding subdomains, brute forcing subdomains, and taking screenshots of every domain after finishing my recon which takes 3 days when I check all screens short to check if something is interesting there was the domain which catches my interest I was able to get direct access to admin dashboard
Analysis of website
but after I visited that URL I was sent to login panel after doing a lot of paying around I was not able to get…