API Misconfiguration which leads to unauthorized access to servicedesk tickets
Hope you are doing well in bug bounty. Ever common bugs getting duplicate so thought to share one of my unique finding, as site name not allowed to disclosure we consider it as redacted.com.
However its my first writeup so ignore the mistakes and sorry for bad english ! Without wasting time let's get start ,
Most of time when we saw API we fuzz for sensitive endpoints and files. I did same but there was nothing useful found, so I thought to recon for js files.
You can checkout beginner guide for js files recon :
Mainly I prefer Linkfinder for enpoint discovery.
Didn't find anything from js files but one endpoint took my attention
After visiting https://redacted.com/servicedeskapi/v1/gettickets it threw error
Here is one thing to notice " GET Method Not allowed" which is hint for me so what if I go for Post Method ?
Again it threw error Length Required So I inserted Content-Length: Header as Content-Length: 0
So for satisfying the Request it was asking to provide something in body so I decided to pass " app_id= " which I found in source code, where I made mistake of providing it without JSON format, now I again got an error .
The last requirement was Content-Type: header and body must be in JSON format so here we go, we are able to access all Service desk Tickets !
~ Never Ever forget to look into js files they are like gold mine ; )
~ Do Automation But Never forget to manual checking
~ Errors are nothing but the hints, notice them and proceed.
· 11 Jul 2020 — Bug Reported .
· 13 Jul 2020 — Triage .
· 29 Jul 2020 — Fixed / Reward Issue .
Thanks for taking time to read writeup ! Suggestions are always welcome.
Get in touch with me :
Copyright Gaurav Popalghat. All Rights Reserved.