For this article I am going to share my recent findings from Bugcrowd a bug bounty, which for the purposes of this article I will call Program X. This was the first four figure bug bounty I had ever won and it was a fantastic feeling. Come weekends I have a ton of energy I need to burn and I tend to burn that energy looking for bugs. After spending two days solid and finding a few different bugs which bounties can be claimed on, it made me realize that there are still lots of vulnerabilities to be found.
Before we proceed directly to the bug, 'Program X' belongs to a popular E-commerce company and they had 3 URLs within scope. I was testing their main domain but could find nothing, so I moved ahead onto another target within the program. I first spidered and did a bit of content discovery via burp-suite and then walked around the web application as a normal user. I was buying stuffs, adding it to carts, buying gift cards, and finalizing payments. I usually do this to get all the directories, files and see what all functions are presented to me when I do things as a normal user.
I was then looking into the Burp's Proxy History and it was like a huge list I had to go through manually. At one point of time, I saw that there was an endpoint that is responsible to give us the shipping item's amount and then it would recalculate the item's value and show it to the UI.
So I started tracing where this endpoint is related to and how can I get to this endpoint. After a little walk backward through the request, I found out that it was initiated in the checkout page. Now I quickly added an item to the cart, and went to checkout. After I entered the checkout page, I put in the details of mine and proceeded to the shipping page. Here, it was interacting with the api endpoint which was responsible to set the shipping price.
Endpoint was similar to /api/cart/shippingMethodupdate (can't disclose original as I am not allowed to disclose the program and the vulnerability but trying to modify in a way that I don't point to them in any way). The body was in json format and there I saw a parameter as shippingcost and originalshippingcost along with few more other parameters. So I quickly modified those two parameters to 0.00 and sent the request and turned intercept off to quickly let it load and see if it worked.
Sadly it did not!!!
Then I realised that it was interacting with another api endpoint afterwards. After /api/cart/shippingMethodupdate, it hit /updateCart where, we had to modify the shipping amount again. Afterwards, I was able to get express shipping which would cost around $25 for free.
It just goes to show how even the most seemingly innocent functions of a website, or app, can contain vulnerabilities for those that look for them. This one had been completely overlooked and undiscovered, or had it? Who knows how many people had been getting free shipping using this bug? And that is why I got paid out a four figure bug bounty for this, it could have potentially cost a LOT of money.
Thats it for this chapter folks. I will see you soon in another article. Hit me up over Twitter if you have any questions or feedback.