Information disclosure via api misconfiguration

As-Salaam-Alaikum (Peace be unto you)

Hello Amazing Hacker My name is Rizwan Siddiqui I am a Bug Hunter. This is my First Writeup hope You guys will enjoy it and learn something new from it. Let’s get started how I found this api misconfiguration.

Let’s Goooooooooooooooo

scenario:The web application is some car or bus selling web application and there is also jobs related stuff there. I try file upload xss but nothing works then I Go To id.target.com there is some profile type function where i can upload my file and there is my login log my ip address who login in my account through which ip. I try some xss again file upload vulnerability but nothing works

After that i thought i should give up and change my target but in id.target.com there is api endpoint which is fetching my personal details like my ip address and name stuff. That time i thought i should fuzz here i try fuzzing after that i notice that this is authenticated endpoint i should fuzz with my cookie so i can find something juice info and i start fuzz like this ffuf -u https://id.target.com/api/FUZZ -w wordlist -c COOKIE_HERE after some time it give me https://id.target.com/api/work and guess what there is some misconfiguration in api endpoint which is leaking company employee data like there position in company jobs Descriptions profile pic that time i thought this is just some basic or some one person info but i am wrong when i send it to repeater tab and i send that request again and again they give me new employee data everytime.

Employee Data.

Step To reproduce:

  1. Go to id.target.com login with your credential.
  2. open burp suite forward requests until u see the request like this :
GET /api/personal HTTP 1.1
HOST: id.target.com
Cookie : JWT TOKEN
Accept: application/json

3. Just remove “personal” and add “work” then see the magic.

Takeaway:

Always Fuzz with your cookies if there is api endpoint. And never lose Hope.

Bug Hunter Infosec Guy