Hola fellow researchers,
Myself, Rafi Ahamed. I am a Cyber Security Researcher from Bangladesh. I’m also a part of Allsafe-India’s Penetration Tester Team. I am a currently doing my BBA from University of Dhaka. But I do love nerdy stuffs. Let’s not waste any time & get down to our topic.
First of all, don’t get confused with the title. By forcing I actually meant Forced Browsing.
What is Forced Browsing?
Forced browsing is an attack where the attacker aim to enumerate and access resources that are not referenced by the application, but are still accessible.
How did I find the bug?
Recently I was testing a private site in HackerOne and the site was selling educational videos. So, they allow an user a preview of the video without payment. But the preview was for only 15 seconds or less. Well, who cares about that right?
Actually, that’s where the $$$ lies.
As usual I turned on Interception using Burp Suite & noticed endpoints like below:
But the endpoint was on another subdomain. By looking at the subdomain name it was understood that the organization uses this subdomain to store all it’s videos & other stuffs. So, I quickly visited the endpoint to see if I can find anything.
But I got nothing. Got the same preview with the same duration.
Then I noticed that the endpoint has something like this
I thought why not remove it & see what happens. I was surprised that I got the full video. Now I can watch any paid video without payment.
I quickly reported the bug to HackerOne & got a nice $500 bounty.
Reported: Sep 27th.
Triaged: Sep 28th.
Resolved: Oct 18th.