#Bugbounty “How I was able to get 200$ in less than five minutes” —No Rate Limitation.

Let me thank all the bug bounty hunters over there who are creating great content and inspiring a lot of people like me.

Thank You, community folks, @akhilreni_hs @stokfredik @hakluke @farah_hawa01 @dhakal_ananda @adityashende17 @bugcrowd @rakesh_3895

Hello Everyone,

Welcome to another blog.

To people who don’t know me myself Ganesh, I am a security analyst at WesecureApp and a Part-time bug bounty hunter at Bugcrowd.

User Enumeration:
User Enumeration is a process of enumerating the list of valid users of application where this information helps an attacker to perform brute force against valid user names. The user enumeration vulnerability is made possible when an application shows different error messages which help in evaluating the valid users.

Rate Limitation:
A brute force attack can manifest in mainly different ways but primarily consist of an attacker configuring predetermined values, making requests to the server using those values, and then analyzing the responses. The attack takes advantage of the fact the entropy of the value is similar to perceive.

Attack Scenario:

This particular application functionality is to deal with groceries. So randomly I have navigated to the login page and Entered my mobile number and Captured the using burp proxy and I have observed the application response it reflecting my mobile number along with the “uid” value in plain text.

According to Business Requirement:

This particular UID value is very much important to the company. Using this I will be able to gather your information and I have also observed there’s no rate limitation present over that particular request. I did a brute-force attack using Indian mobile numbers. (Basically, Indian mobile numbers consist of 10 digits, right? I brute-forced the last 4 numerical numbers was able to list out all their UID).

Proof of concept:

Bruteforced

Bounty Rewarded:

Bounty

Mitigation:
Make sure to Implement Rate limitation in place and mask “uid” value as well.

Thanks for reading my blog.

Follow me at twitter.com/ganiganeshss79

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store