Response Manipulation & Got 200+K PII Data & (Can give upto $4000+ Bounty)

Priviledge Escalation to Admin Dashboard to account takeover & PII Access how this happened and making low level Vulnerability to Critical Level Vulnerability……. Let’s learn

Hello, Hunters. I know You are here because you are struggling or want to advance in your career. Believe me, things take time. Be consistent, continue to learn, and never deceive yourself. If you follow this three mantras, you will undoubtedly achieve success.

Stept To Reproduce:

1. I made a basic user account and noticed that one endpoint, /api/v1/session, caught my eye.
2. A cookie option with the name “frontend” also existed, and its value was “2”.
3. Suddenly, the programme changed its behaviour and began calling the v1 api when I changed its value from “2” to “1”.
4. I then wished to modify the user’s information, such as (email, name..)
5. There are two parameters, one called “roles” and the other “abilities,” and the v1 endpoint transmits more data than the v3 endpoint.

6. I attempted to access the JS files to obtain the roles and abilities list, and I was able to obtain some of them, including 10 abilities (users.view, http://documents.read.).
7. I forwarded the request after changing the value of the responsibilities and abilities.
8. I discovered myself in the admin dashboard, complete with all of the admin’s responsibilities and capabilities (even if admin:false)

Some useful Tips:
A good rule of thumb is to always see if a lower version of the web application is accessible, read the JS files for additional endpoints and ideas about your goal, and confirm whether there are any additional roles or features that are only accessible to administrators.

Thank you for reading !! hope you get to learn some tricks.

Subscribe to the Shuttlertech YouTube channel for more of this type of content and to watch live POCs & To advance your career connect with me 1:1 over topmate .
I will ensure you that i will write more interesting and knowledge sharing writeups, to encourage me follow me on medium and click the clap icon.

Source of this writeup: mehdisadir Twitter.

Disclaimer: My Writeup come from own achievements & Some time form different Learning Platform Do not use this methodology without concern of company. I am just sharing this for learning purpose.