Hola fellow researchers,

Myself, Rafi Ahamed. I am a Cyber Security Researcher from Bangladesh. I’m also a part of Allsafe-India’s Penetration Tester Team. I am a currently doing my BBA from University of Dhaka. But I do love nerdy stuffs. Let’s not waste any time & get down to our topic.

First of all, don’t get confused with the title. By forcing I actually meant Forced Browsing.

What is Forced Browsing?

Forced browsing is an attack where the attacker aim to enumerate and access resources that are not referenced by the application, but are still accessible.

How did I find the bug?

Recently I was testing a private site in HackerOne and the site was selling educational videos. So, they allow an user a preview of the video without payment. But the preview was for only 15 seconds or less. Well, who cares about that right?

Actually, that’s where the $$$ lies.

As usual I turned on Interception using Burp Suite & noticed endpoints like below:

Image for post
Image for post

But the endpoint was on another subdomain. By looking at the subdomain name it was understood that the organization uses this subdomain to store all it’s videos & other stuffs. So, I quickly visited the endpoint to see if I can find anything.

The endpoint

But I got nothing. Got the same preview with the same duration.

Image for post
Image for post

Then I noticed that the endpoint has something like this

I thought why not remove it & see what happens. I was surprised that I got the full video. Now I can watch any paid video without payment.

Image for post
Image for post

I quickly reported the bug to HackerOne & got a nice $500 bounty.

Reported: Sep 27th.

Triaged: Sep 28th.

Resolved: Oct 18th.

Hope you guys enjoyed this one . PM me at Facebook or LinkedIn anytime if you have any questions .

#Eat_sleep_hack_repeat
#Hack’em all

Written by

Pentester/Bug Bounty Hunter & A typical Business Undergraduate. (https://www.facebook.com/rafiahamed.rupak.3)

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store