#Bugbounty- “How I was able to see other users Payments in a travel application” — IDOR #800$
Let me thank all the bug bounty hunters over there who are creating great content and inspiring a lot of people like me.
Thank You, community folks, @akhilreni_hs @stokfredik @hakluke @farah_hawa01 @dhakal_ananda @adityashende17 @bugcrowd @rakesh_3895
Myself Ganesh, I am a security analyst at WesecureApp and a part-time bug bounty hunter. I recently got an invite for a Travel application.
The application allows users to make a booking at hotels /Flights so upon users filling up necessary information they will be redirected to the Payment Gateway there are couple options for the user to complete payment. I have selected the Credit card option and captured the request using a burp proxy.
And I have observed the application is making redirection to “*redacted.com”. I tried changing all values in the request body parameters out of curiosity I tried brute-forcing at “req_reference_number” and was able to list out other users payments.
Lucky me :)
I was able to view other user’s sensitive information such as social security number, Passport Number, Name, Valid Ticket ID’s.
Though, it’s a P1 issue team has listed it out as P2 :)
Thanks for reading my blog :)
Twitter : ganiganeshss79