Posts

Escalating user privileges in a BBP

Hi folks,
This post is about one of my recent finding in a private bug bounty program. Since the program refused for public disclosure (i don't know why) i am not attaching any screenshots. But still i will try to explain the idea. Let's call the site as example.com, So example.com is a trading platform and they have a limited trial period after that you have to spend $$ to renew your account. And the most irritating part is once your trial account is expire example.com lands you to https://example.com/subscription/expired every time. 
So i created a new trial account and start checking common endpoints like profile page, account balance page, recent activities page etc.
After i tried to get those endpoints with my old expired account and every time i was landing to https://example.com/subscription/expired :(
Now the challenges was to somehow get and update information of my old expired account. Luckily they have a API which is used to fetch, update and trade orders for us. Now al…

Story of a JSON XSS

Image