Information disclosure via api misconfiguration

As-Salaam-Alaikum (Peace be unto you)

Hello Amazing Hacker My name is Rizwan Siddiqui I am a Bug Hunter. This is my First Writeup hope You guys will enjoy it and learn something new from it. Let’s get started how I found this api misconfiguration.

Let’s Goooooooooooooooo

scenario:The web application is some car or bus selling web application and there is also jobs related stuff there. I try file upload xss but nothing works then I Go To there is some profile type function where i can upload my file and there is my login log my ip address who login in my account through which ip. I try some xss again file upload vulnerability but nothing works

After that i thought i should give up and change my target but in there is api endpoint which is fetching my personal details like my ip address and name stuff. That time i thought i should fuzz here i try fuzzing after that i notice that this is authenticated endpoint i should fuzz with my cookie so i can find something juice info and i start fuzz like this ffuf -u -w wordlist -c COOKIE_HERE after some time it give me and guess what there is some misconfiguration in api endpoint which is leaking company employee data like there position in company jobs Descriptions profile pic that time i thought this is just some basic or some one person info but i am wrong when i send it to repeater tab and i send that request again and again they give me new employee data everytime.

Employee Data.

Step To reproduce:

  1. Go to login with your credential.
  2. open burp suite forward requests until u see the request like this :
GET /api/personal HTTP 1.1
Cookie : JWT TOKEN
Accept: application/json

3. Just remove “personal” and add “work” then see the magic.


Always Fuzz with your cookies if there is api endpoint. And never lose Hope.

Bug Hunter Infosec Guy