Hey Readers, 👋, Hope you are doing great,
This is my 8th writeup and I will show step by step how I was able to bypass bank verification and fully verified my account from the attacker's side without any involvement of the support/review team, I found this on one of the popular cryptocurrency/blockchain-related organization.
Let's first jump into the cause,
So, Basically, the vulnerability arises due to improper management or API misconfiguration of sensitive request parameters which leads to Broken Object Level Authorisation.
It arises when the server-side response for some sensitive validation depends on client-side input or request.
In lots of applications, you must first verify your bank, KYC, or other details to further access the application resources or in another way, you should be verified to use the application money transactions, like the one shown below.
similar to this there can be other forms to verify your identity like your country identity card (like aadhar card in the case of India), driving licence.
Now, I just filled in the form with random details, and this is what status for review looks like,
Now, what if we bypass this to get verified from our side.
Let's see step by step,
Now while filling in the form to capture the request and the request body looks like the screenshot below, you can further make use of the repeater tab to analyze requests and responses.
and here the endpoint for API looks like api/v1/add/bank,
now after lots of observation and checks, I found that only the request parameter “bankVerificationStatus” is responsible for deciding whether our bank is under review/verification or verified,
and I found that changing the parameter values is also reflected in server responses, it means the server validation depends on client-side input or request,
then further, I observed for the parameter bankverificationStatus
if I update,
bank verificationsatus:1 →0 (means team or support got our response)
bank verificationStatus:1 →2 (bank got verified permanently)
and verified bank server response looks like,
This way I bypassed one of the important sensitive validation.
Thanks for reading the writeup,
Hope you like it 😁✌️.
Subscribe to my youtube channel for bug hunting related stuff: redirect _poc
You can follow me on Instagram varmaanu001
follow me on Linkedin: my_linkedin
buy me a coffee 😍: here