I don’t do bug bounty quite often because it’s very hard to find something interesting and to be the first reporter… but the other day was different.

I opened my email and saw an invitation for a private Hackerone program. I took a look at it and the bounties were attractive so I said why not?

FIRST STAGE ( Recon )

Scope was very reduced, only two hosts:

api.company.com

app.company.com

I created an account and then I started to sniff my traffic with Burp, first look revealed that they were using Auth0 for handling authentication, Express.JS for the web and JWT for sessions.

First thing I tried was to change the alg of JWT to none and then impersonate some employee but that its too obviously. None is not an algorithm valid said an error message.

One feature of the application is you can invite users to a group and then change their account’s privileges/scopes.

At that point I was very focused on gain privileges and escalate my account to employee. After reading thousands lines of javascript code I realized that there were some scopes that do not appear in the edit user privileges menu…

SECOND STAGE ( Gain privileges )

I detected 2 interesting scopes: company:support and company:operations

Their name was telling me that those scopes was reserved to employees, so first thing I tried was: invite other user into the group and then change his scopes to the employees ones.

Kids stuff… Intercept the request with burp and then spoof the scopes parameter. 200 OK From server and in that point I could receive a bounty but I wanted more…

THIRD STAGE ( Confirm it )

Now we have the account with employees privileges but the application seems to be the same, no changes, no admin actions. So back to recon again.

Inside javascript library were api references to a service that I wasn’t saw before and in a comment below it said something like: service for employees operations 🥳

So what I tried? You have guessed right, send a request to that api reference and cross the fingers to get a 200 OK.

At this point I confirmed the privilege escalation.

Report to the program, 9.9 CVSS 3.1 and a bounty of 3000$.

Wait! You said 6000$ ?

There was another feature: You can create API Keys for your account … and assign scopes to it! 🤭🤭🤭

Intercept the api generation request and spoof the parameter scopes with the employees one and done! Another 9.9 cvss 3.1 and 3000$