This article discusses the discovery of a logic flaw in a bug bounty program, specifically involving unauthorized list access due to a Failure to Invalidate Session on Permission Change. The flaw allowed users to access resources even after access revocation. The author emphasizes the importance of responsible disclosure and shares personal reflections on the experience. Affected: bug bounty program, website and app users, sensitive resources
Keypoints :
- Author found a bug in a bug bounty program referred to as gaza.com.
- The target allows users to book restaurant reservations and share favorite restaurant lists.
- All IDs in the system were in UUID format.
- The bug involves Failure to Invalidate Session on Permission Change.
- Unauthorized users could still access lists even after permissions were revoked.
- Steps to reproduce the issue were detailed, involving two users: UserA and UserB.
- The issue was confirmed, triaged, and rated as P4 (Low Severity) by the program.
- The author emphasizes the importance of avoiding burnout and maintaining faith during challenges.
MITRE Techniques :
- Identification of Vulnerability (ID: T1203) – UserB exploited the logic flaw in the permission system to gain unauthorized access.
- Replay Attack (ID: T1203) – UserB exploited the saved request in Burp Suite after permissions were revoked, allowing unauthorized access to the list.
Indicator of Compromise :
- URLs: https://gaza.com/list/UUID
Full Story: https://infosecwriteups.com/a-logical-bug-that-slipped-through-792b90850e72?source=rss—-7b722bfd1b8d—4