Api endpoint- Revealed Transaction Details of about Millions of users
Today i will be talking about my one of finding which reveals transaction details of millions of users …..
Lets begin … undestand what is api ?
Api is abbreviation of Application programmming Interface which is used to comunicate with another application without sharing any system password to other application … in simple words
So i was testing the application payment system offcourse lol i love to test them .. While test i noticed when i cancel the the transaction and intercept request via burp there is api comes in request which handles whole thing between their internal storage database and normal webapp and thing i noticed even if i initiated cancelled or done with transaction they were creating transaction id for every payment request ...
How i got this vulnerability ?
- I refreshed my cancel transaction page and saw api request in burp this endpoint was passing
2. So what next ? yes i removed that encoded part and sended null value there ahha got 400bad request but some hints in response { Have to provide txn_id this hit my mind }
3. After that i changed GET /api/v1/txnstatus/?internal_txn_id=4a0174e87f6d45468efa8dc34657118a {To GET /api/v1/txnstatus/?txn_id=randomdigit}
All i got was users bank account details their mobile numbers and some other non beneficial details as well 😁
Impact:
They were using numeric value of transaction id along with encoded in anotherr endpoint called {api/v1/txnstatus/?txn_id and because of no authentication bearer i can able to retrive millions of user transaction details
Mitigations they did:
Implemented Jwt authentication bearer on their api endpoint related to payments .
Thank you :)
I hope you enjoyed reading along your cup of coffe
Lets connect with me on twitter:
https://mobile.twitter.com/aadesh_namdevv