I recently found my first vulnerability in the wild. The vulnerability was a P1 and all I had to do was turn a 0 into a 1.
The app was one that I used multiple times a week. I knew someone who worked with it a lot, and he was friends with the founder of the app. I was told that it was very secure, but I realized it was only because no one knew how to intercept an app to get any http request. I immediately went to setup Burp to go through my Android device, but because of limitations, I had to use an emulator and decided to write a guide shortly after submitting my report.
After figuring out how to get the emulator working (which took longer than finding the vulnerability), I started to use the app as I normally would. Reading all the http history in burp.
Shortly after, I noticed that one of the requests had a weird parameter ref_type=0
and after some testing, it was basically the difference between interacting with it as an admin and not as an admin. There were a few acceptable inputs and they all had different funky reactions.
But turning the initial 0 to 1 would basically give you full access to the request you were making. So you would be able to easily write a script that can delete almost all sessions with the new admin permissions.
I think it’s important to get permission before you start hacking. Not all companies are happy to have someone ethically try to hack them, as they think that on the flip of a switch we might go nuclear.
I screen recorded myself while doing the vulnerability and sent them an in-depth report on how to reproduce. I let them know the possible things a malicious actor could do, and they went to immediately fix it.
My Twitter: https://twitter.com/adamjsturge
If you enjoy reading stories like these and want to support me as a writer, consider signing up to become a Medium member. It’s $5 a month, giving you unlimited access to thousands of articles, including mine. If you sign up using my link, I’ll earn a small commission at no extra cost to you.