Block surveys stats worth $$$$ Bounty
Hi All
My Name Abdelkader Mouaz People know me as(Hamzadzworm -.-)
Today i will share an interesting issue That i found At Hackerone Private Program and using it i was able to Block surveys stats of any other user. -.-
Intorduction:
i received a gmail notification about a private hackerone invite so i grab a cigarette with cup of coffee ,entered the website and start using it as a normal user
I Created a survey and enter it and answered questions
to check answer result there is a function called surveys stats
where you can find the answer you entered
everything was working normal untile i noticed that i can publish this survey and after that i could share it with other users
the issue is that you cant brute force or get survey link because it was long token so i keep digging more and more in the main domain of target using google dorks and all possible ways but nothing happened so i just passed collecting survey links and focused on finding an issue on it.
i go back and try to put a big payload in answer maybe it can make server overload but they have limited characters so it dosent worked so i keep checking for more and i intercepted request while sending answer and there was a parameter for answer and parameter for answer type
i try to manipulate the answer type with null/html/json and other payloads but non of them worked
i changed type to xml and there i got a different response with xml error
i didnt noticed anything different and survey link was was working normal
but after going back to check surveys stats i got a 500 error, i intercepted request with burpsuite checked response and there i noticed an xml error that blocked the stats page which mean i cant check answers of my surveys
i opened new account created another surveys and copied link to private browser where im not logged in and using same senareo changing type to xml the account admin couldnt check surveys stats and keep getting 500 error so he cant use surveys stats option at all
that was there reply:
they said it dosent have any impact for business and they updated it for low
because they was thinking it can only attack me or attack someone who gived me him survey link because i cant bruteforce.
Next Step:
I Decided to do subdomain enumeration and grab subdomains list even when they dont allow all subdomains to see if there is anything interesting can help me
after some time i found an interesting subdomain that leak’s Surveys via google dorks using it i was able to get about 20k Surveys
now its more interesting because i have leaked 20k Surveys link that i can block there stats by manipulate there answers type.
i added that to report and severity was updated for higher one again and result was:
i hope you enjoyed my write up and will be happy to share more if you are interesting :)