I was able to see all user information by manipulating parameters on the website.

Reek Elderblod
3 min readAug 30, 2023

Intorduction

Hello, everyone! Today, I’d like to share my recent experience with a bug bounty program it is a story about a bug whereby manipulating parameters I was able to see all user-related information by changing some parameters in a request I was able to see there user name, id,id_org, name, address, and other some real important information.

What is manipulating parameters

Manipulating the data sent between the browser and the web application to an attacker’s advantage has long been a simple but effective way to make applications do things in a way the user often shouldn’t be able to.

Discovery and Reconnaissance:

For this blog let’s say the website name is anything.com and as all bug bounty hunters we all do basic tasks such as finding subdomains, brute forcing subdomains, and taking screenshots of every domain after finishing my recon which takes 3 days when I check all screens short to check if something is interesting there was the domain which catches my interest I was able to get direct access to admin dashboard

Analysis of website

but after I visited that URL I was sent to login panel after doing a lot of paying around I was not able to get…

--

--

Reek Elderblod

Penetration Tester and Bug Bounty Hunter passionate about cybersecurity. Skilled in C, and C++ and my goal is to earn CCIE Security and OSEE by the end of 2036