Recently, while hunting on a private bug bounty program I got full API Access to target’s Auth0 Management API. This was my first comeback vuln/bounty after taking a pause from Bug Bounty Hunting.
Target was a staging env for which I had some credentials assigned. Let’s assume the target was `stage.application.hunt`. It was a basic SPA built using React and the backend I believe is NodeJS
The very first thing I did after I was invited to program was
After tapping all the buttons and visiting every page in the application I switched to burpsuite to analyze traffic. After some dead ends, I found a `PATCH` request to `/api/path/data` and it had language preference in the request body as shown in the below image
I tried some basic fuzzing on this endpoint by which I mean
and every time I got a `500 Internal Server Error ` 😞 just like the below image
As I was about to move to other endpoints as final attempt i tried empty JSON string `{}` and it returned an error message 👀
After properly formatting the error i saw that it contained an Authorization Header with `Bearer eyJxxxx`. It also contained an address to which the request was being sent and that would be `https://application.us.auth0.com/api/v2/users/auth0|652xx` Searching this endpoint on Google led me to auth0 management API docs more specifically https://auth0.com/docs/api/management/v2/users/patch-users-by-id. After entering the token in the docs page it showed all permissions available to that token.
I tried fetching user data and other endpoints like listing users, applications, updating users etc and everything worked. Even though it was a staging application it had around ~300 users in it most of them being [email protected] emails.
I immediately recorded a POC Video using OBS and wrote a simple explanation and submitted the report. The Triage Team accepted the report after 1–1/2 days and asked for some more details about the impact and after that rewarded $$$ bounty.
I think in the backend user’s request was first unmarshalled into an object and the same object was used to send a request to the management API to update user data. Earlier when I tried invalid JSON it failed since unmarshalling failed but sending empty JSON did the trick and management API returned 400 status which errored out.
I am Tarun, a security researcher and Go Developer from India. When I am not hunting for bugs, you will find me on GitHub adding features and fixing bugs on nuclei and other PD Tools.
Later on, I found a privilege escalation(kinda) vulnerability which was triaged as low severity at first but with the above knowledge about the backend, I exploited it to make it a critical Severity report. Will share it in the next writeup. Until then follow me on twitter, or medium to be notified.