#Bugbounty — How I was able to access to premium user functionalities without paying for it

Broken access controls are a commonly encountered and often critical security vulnerability. Design and management of access controls is a complex and dynamic problem that applies business, organizational, and legal constraints to a technical implementation.

From a user perspective, access controls can be divided into the following categories:

  • Vertical access controls
  • Horizontal access controls
  • Context-dependent access controls

For better understanding on same please go through following awesome resource:

https://portswigger.net/web-security/access-control

I have found a similar issue in one of the private program on Bugcrowd platform which we can categorise as Context-dependent access controls. Based on the understanding of the application, I was able to understand that it was a treasure hunt application and we have to find treasure (I’m not being sarcastic here 😉 ). Let’s go through the vulnerability…

  1. First step is to identify the functionalities which belongs to higher privilege user. Let’s login to app and check what we have at our disposal.

As we can see in above screenshot there is an interesting section called “PREMIUM TOOLS

2. The “User routes” feature provides some interesting stuff like “add routes” or “search for existing routes”. Let’s create route. Notice the https://example.com/my/userroutes.aspx path.

3. And our route is saved.

4. Now let’s login with a lower privilege user or a user without premium tools access.

It looks like this user doesn’t have access to “PREMIUM TOOLS” features.

5. Now simply navigate to the path we have observed in step 2

And we can access premium feature without paying for that.

6. We can also see the route entry we had done in initial stage.

The easiest finding one can ever find. Now let’s see how can we automate this stuff when we have too many functionalities. We can use a Burp Plugin called Autorize .

We also have an awesome video on how to use the plugin by STÖK. Check it out here: https://www.youtube.com/watch?v=3K1-a7dnA60

Thanks for reading! Have a nice day ahead.

~Nishith K( https://twitter.com/busk3r )

Security Enthusiast | Keen Learner | Breaking stuff to learn | Occasional bounty hunter | Twitter: @busk3r

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store