These attack scenarios come from my personal experience as a bug bounty hunter. This happens to be my favorite issue types because it's really to miss them and you can not automate the search easily due to the required logic knowledge.
The first example is from an application that allows you to make an appointment which lasts 1 hour. In the UI I am able to see time slots that last 1 hour and I can select one of them.
I was staring at the request and did not notice it at first, it took me a good hour to realize it:
If we change the start or end date we can fully book the agenda of the consultant for years if we wish. This is very easy to miss which is why i like this issue type so much!
A second example is that i love to look at my account settings when i am hacking to see if i can't find any properties in the api responses that I should not be able to edit to make myself admin for example but this is about a much more subtle bug.
Request:
Response from API:
There are two account types in here, these account types can not be found in the requests themselves but only in the response. However if i copy over that parameter, i might be able to change it as the API might automatically map the object.
Request:
Response from API:
A second subtilty that comes into play is that we need know that it's a pretty bad thing to change account types but looking at the website (which was not in scope but it's a public asset, www.FAKEPAGE.com ) on that page we found that one account type costs a lot more than the other thus increasing the impact.
As you can see you need to think very carefully about the function of every parameter and make sure you understand what it means and what all the options are with that specific property. Make sure you investigate all the properties the objects have on the API and that unused properties do not get sent to production where they might get abused. And also don't forget about API protection. We've compiled the OWASP Top 10 in 2021 based on millions of safety reports, read this article.
Subscribe for the latest news