A Logical Bug That Slipped Through
In the Name of Allah, the Most Beneficent, the Most Merciful.
All the praises and thanks be to Allah, the Lord of the ‘Alamin (mankind, jinns and all that exists).
It’s been a while since I posted a write-up, but here I am today — haha!
This write-up is about a bug I found in a Bugcrowd program some time ago. Let’s get started.
For the sake of responsible disclosure, I won’t be revealing the program’s actual name. Instead, I’ll refer to it as
gaza.com
The target is a website and app that allows users to book restaurant reservations.
Finding the Bug
When I started testing the target, I explored it like a regular user to understand its flow. I quickly noticed that all IDs (such as comments, reports, bookings, etc) were in UUID format. After checking some features, I started to feel burnt out because I hadn’t yet found an opportunity to apply my love for logic flaws:}}.
Alhamdulillah, just as I was about to take a break or move on to another target, I decided to check out a feature where users can add restaurants to their favorites. Users could share their lists with others, and others could copy the list as a new list.
📌 The list URL followed this pattern:
👉 https://gaza.com/list/UUID
That’s when my logic mindset kicked in! I decided to create another user for testing.
We now have two users:
- UserA (list owner)
- UserB (recipient)
I discovered a Failure to Invalidate Session on Permission Change. This means a user could bypass access revocation by replaying a previously saved request. As a result, unauthorized users could still access sensitive resources even after their permissions were revoked.
Steps to Reproduce
A. Initial Sharing:
1️⃣ UserA creates a list and shares it with UserB.
2️⃣ UserB is granted permission to make a copy of the list.
B. Saving the Copy Request:
3️⃣ While access is still active, UserB initiates a copy request for the list.
4️⃣ UserB intercepts and saves this request using Burp Suite.
C. Revoking Access:
5️⃣ UserA revokes UserB’s access to the list.
6️⃣ At this point, UserB should no longer be able to access or copy the list.
D. Replaying the Saved Request:
7️⃣ UserB replays the previously saved request in Burp Suite.
8️⃣ Despite the revoked access, the request still succeeds, and UserB obtains a copy of the list — including any updates made by UserA!
Alhamdulillah, I retested the issue, confirmed it, and submitted my report.
Two days later, I received a response. I was at the mosque (it was Friday) when I got the reply. I had my laptop with me, so I quickly retested and sent a PoC.
The issue was triaged and rated as P4 (Low Severity).
“…After difficulty, Allah will soon grant relief.” Alhamdulillah.
Final Thoughts
✅ Avoid burnout — sometimes stepping away helps.
✅ What is meant for you will not pass you — tie your camel and trust in Allah.
Thank you for reading till the end. If you found it helpful, please show your support by clapping for this write-up.
For any suggestions, Kindly reach out to me:
Twitter — callgh0st
