Unveiling Privilege Escalation and Sensitive Data Exposure across the Domain

Hello everyone,

My name is Matin, a dedicated bug hunter and security researcher. I’m excited to present to you my inaugural writeup, which delves into a significant vulnerability discovered within a public program. Let’s embark on this hunting expedition together!”

Step one:

I established a login session on the main domain while initiating Burp Suite to capture the requests. After accessing the system, I identified an OAuth token that permits data retrieval on numerous endpoints of the main domain. However, I currently lack the ability to access any additional pages.

However, I’ve decided to revisit and review the requests in detail, and I noticed something interesting about the web application. The OAuth token is generated within the API domain

step two:

find sub domain with subfinder

subfinder -d example.com -o subf.txt -v

After some exploration, I’ve located the admin subdomain. Subsequently, this has led to the discovery of relevant URLs on the target system

echo "example.com"|waybackurls|httpx -title -status-code -tech-detect -content-length

Although numerous URLs have been discovered, I’m currently facing restricted access to these pages and endpoints

analyze API generation token:

step 1: i have login main domain
step 2: generate my OAuth token on API
step 3: can access main domain
step 4: maybe i can login other domain without authentication and access many data

lets try 🥸

Step Three:

Now, before sending out the request, we must first include this specific header.

Authorization: Bearer "OAuth valid Token"

and send request

boom 💥

We can gain access to sensitive data without prior authentication simply by appending a valid token to the request.

In summary, through diligent exploration and testing, we have uncovered a significant oversight in the web application’s security framework. By locating the admin subdomain and various pertinent URLs, a vulnerability has been identified that allows access to sensitive areas of the application without the need for authentication. This is facilitated by the injection of a valid token into the request header, which bypasses the standard security checks. The discovery of this flaw highlights a critical need for a thorough review and strengthening of the application’s authentication processes to mitigate any potential data breaches and to ensure the integrity and confidentiality of user data. It is imperative that these security gaps be addressed promptly to safeguard against unauthorized access and exploitation.

authorers:Javroot,Faeze Zolghadr .💖

see you soon on another writeup 😉✌️