How did I earned 6000$ from tokens and scopes in one day

Corraldev
InfoSec Write-ups
Published in
2 min readAug 26, 2021

I don’t do bug bounty quite often because it’s very hard to find something interesting and to be the first reporter… but the other day was different.

I opened my email and saw an invitation for a private Hackerone program. I took a look at it and the bounties were attractive so I said why not?

FIRST STAGE ( Recon )

Scope was very reduced, only two hosts:

api.company.com

app.company.com

I created an account and then I started to sniff my traffic with Burp, first look revealed that they were using Auth0 for handling authentication, Express.JS for the web and JWT for sessions.

First thing I tried was to change the alg of JWT to none and then impersonate some employee but that its too obviously. None is not an algorithm valid said an error message.

One feature of the application is you can invite users to a group and then change their account’s privileges/scopes.

At that point I was very focused on gain privileges and escalate my account to employee. After reading thousands lines of javascript code I realized that there were some scopes that do not appear in the edit user privileges menu…

SECOND STAGE ( Gain privileges )

I detected 2 interesting scopes: company:support and company:operations

Their name was telling me that those scopes was reserved to employees, so first thing I tried was: invite other user into the group and then change his scopes to the employees ones.

Kids stuff… Intercept the request with burp and then spoof the scopes parameter. 200 OK From server and in that point I could receive a bounty but I wanted more…

THIRD STAGE ( Confirm it )

Now we have the account with employees privileges but the application seems to be the same, no changes, no admin actions. So back to recon again.

Inside javascript library were api references to a service that I wasn’t saw before and in a comment below it said something like: service for employees operations 🥳

So what I tried? You have guessed right, send a request to that api reference and cross the fingers to get a 200 OK.

At this point I confirmed the privilege escalation.

Report to the program, 9.9 CVSS 3.1 and a bounty of 3000$.

Wait! You said 6000$ ?

There was another feature: You can create API Keys for your account … and assign scopes to it! 🤭🤭🤭

Intercept the api generation request and spoof the parameter scopes with the employees one and done! Another 9.9 cvss 3.1 and 3000$

Sign up to discover human stories that deepen your understanding of the world.

Free

Distraction-free reading. No ads.

Organize your knowledge with lists and highlights.

Tell your story. Find your audience.

Membership

Read member-only stories

Support writers you read most

Earn money for your writing

Listen to audio narrations

Read offline with the Medium app

Published in InfoSec Write-ups

A collection of write-ups from the best hackers in the world on topics ranging from bug bounties and CTFs to vulnhub machines, hardware challenges and real life encounters. Subscribe to our weekly newsletter for the coolest infosec updates: https://weekly.infosecwriteups.com/

No responses yet

Write a response