My Wife was looking for a job as a teacher. One day she told me that she needs this particular newspaper every Thursdays since a lot of job opportunities are published on it. She asked me to bring the news paper when I come back from the office. But that was a headache for me because I used to leave office only after 9 PM during those days. My wife was in an assumption that I was having heavy work load(that was what I told her). But actually after 7PM we were playing carom board at work. So I thought it would be good to access their e-paper instead buying the hard copy. When checked their website, I could find that they have started the subscription plans and we need to pay. Luckily, there was 7 days free trial and I quickly registered for it. The trial period will not allow us to browse the old contents. So I should pay and subscribe if I need the content of a specific date (last year for example). So I decided to test the application mainly because of three reasons

• I wanted to impress my wife (Yeah that’s true, I told her I can hack NASA with HTML and she believed) :|
• I didn’t want to leave the office early quitting the game and the fun just for buying this news paper
• I was curious about the security implementation of this regional news paper.

So after 7 days I started receiving an error that says my subscription period is over. I can easily register using another email address and use it again for another 7 days. But I was not interested in that as it won’t allow me to access the old contents.

As usual I started inspecting the network traffic. The application was built using the asp.net web framework. I noticed that, for each attempt to load any page of the e-paper, the application was sending a request to check my subscription plan, along with my authentication cookie. I forwarded the request to the burp repeater for further investigation. The request was as follows

As my trial period was already over, the response for the above request was

When this response was received I was treated with an error that says ‘Your trial period is over’. But you might have already noticed the important part in the response. Yes, there is a status field in the response which has a ‘false’ value. So, I again attempted accessing another page and the request was forwarded to the burp and this time I checked the option to intercept the response of this request. And when the response was received in the burp I changed the status value to ‘Yes’ and forwarded it to the browser.

And as expected I was able to bypass their validation and the e-paper was loaded. Once the ‘True’ status is received to the validation request, the application was sending request to another endpoint that would load the contents. There is an option to choose the date, edition and page number of the e-paper. Changing any of this value will be accompanied by a validation request. So I wrote a rule in the burp suite such that every response with content “{“Usertype”:2,”Status”:false,”message”:”Your trial period is over \u003ca” will be replaced by {“Usertype”:2,”Status”:true,”message”:”Your trial period is over \u003ca. I was then able to access the content irrespective of subscription and date.

They don’t have a bug bounty program but I decided to report the issue to their customer support. But they have not fixed it yet and never responded after the first acknowledgment.