Hola fellow researchers,
Myself, Rafi Ahamed. I am a Cyber Security Researcher from Bangladesh. I am a currently doing my BBA from University of Dhaka. But I do love nerdy stuffs. Let’s not waste any time & get down to our topic.
First of all, don’t get confused with the title. By forcing I actually meant Forced Browsing.
Forced browsing is an attack where the attacker aim to enumerate and access resources that are not referenced by the application, but are still accessible.
Recently I was testing a private site in HackerOne and the site was selling educational videos. So, they allow an user a preview of the video without payment. But the preview was for only 15 seconds or less. Well, who cares about that right?
Actually, that’s where the $$$ lies.
As usual I turned on Interception using Burp Suite & noticed endpoints like below:
But the endpoint was on another subdomain. By looking at the subdomain name it was understood that the organization uses this subdomain to store all it’s videos & other stuffs. So, I quickly visited the endpoint to see if I can find anything.
But I got nothing. Got the same preview with the same duration.
Then I noticed that the endpoint has something like this
I thought why not remove it & see what happens. I was surprised that I got the full video. Now I can watch any paid video without payment.
I quickly reported the bug to HackerOne & got a nice $500 bounty.
Reported: Sep 27th.
Triaged: Sep 28th.
Resolved: Oct 18th.
Hope you guys enjoyed this one . PM me at Facebook or LinkedIn anytime if you have any questions .