How to find (“Business_logics”) AND (”Broken Access Control”) Bugs !

Hello Awesome Hackers, I hope you all doing well!
My name is Mohamed Anani Or 0xM5awy.

In this Write-Up, we will talk about How to find (“Business_logics”) AND (”Broken Access Control”) Bugs !

First of all I want to tell you that Hacking is not about Automate, Recon and XSS only :) , There are many things that you can find and this including (“Business_logics”) and (“Broken_Access_Control”) and If you know me personally, you will know that I am only hacking for them because I love them, so I decided to tell you about my modest experience in how to find them and also I will give you examples to help you understand the subject

This is an example I found a private program. Unfortunately, it was a VDP, and this means that it does not pay for the bugs. It only gives you 7 points (But I worked on it for 4 days) + (3 hours in the day) and I was able to find some bugs represented in (“Business_logics”) AND (“Broken Access Control”).

1.The first bug was that there are 3 different types of subscriptions/plans and no one can change/edit it only the admin/owner of the team

So I found a way to do this with a lower role!.

2.The Second bug was that there are endpoints allow you to add your comment like facebook comment etc and you cant edit/delete the comments of other users even if you are the owner

So I found a way to do that.

3.The Third bug was that the Pro Plan not allowed you to create more than one map and if you want to create more than once you need to upgrade the plan!

So I found a way to do that.

4.The four bug was that only the admin/owner can (Duplicate) the maps and no one else can do that !

So I found a way to do this with a lower role!.

5.The fifth bug was that only the admin/owner can edit/rename/delete/etc the (customization)

So I found a way to do this with a lower role!.

6.The sixth bug was that only the admin/owner can edit/rename/delete/etc the (settings) of team

So I found a way to do this with a lower role!.

7.The seventh bug was that the admin/owner allowed/unallowed the insights feature and if the admin/owner make this feature off the viewer role cant send any insights

So I found a way to do that.

8.The eighth bug was that there a endpoint call (feature) and this endpoint the viewer role cannot access/read/see_it

So I found a way to do that.

All of these vulnerabilities do not belong to Recorn or Automation etc. But it belongs to you understanding the app/website and trying to do things the app/website doesn’t allow you to do like manipulating roles/plans etc. or trying to buy stuff without money and this is what we did in the last Write-Up you can read it here or try to Exploit Feature that the app/website give to you for free to get a bug as last Write-Up we made it you you can Read it here . This was the end of our writing today.

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store