How to find (“Business_logics”) AND (”Broken Access Control”) Bugs !
Hello Awesome Hackers, I hope you all doing well!
My name is Mohamed Anani Or 0xM5awy.
In this Write-Up, we will talk about How to find (“Business_logics”) AND (”Broken Access Control”) Bugs !
First of all I want to tell you that Hacking is not about Automate, Recon and XSS only :) , There are many things that you can find and this including (“Business_logics”) and (“Broken_Access_Control”) and If you know me personally, you will know that I am only hacking for them because I love them, so I decided to tell you about my modest experience in how to find them and also I will give you examples to help you understand the subject
This is an example I found a private program. Unfortunately, it was a VDP, and this means that it does not pay for the bugs. It only gives you 7 points (But I worked on it for 4 days) + (3 hours in the day) and I was able to find some bugs represented in (“Business_logics”) AND (“Broken Access Control”).
1.The first bug was that there are 3 different types of subscriptions/plans and no one can change/edit it only the admin/owner of the team
So I found a way to do this with a lower role!.
2.The Second bug was that there are endpoints allow you to add your comment like facebook comment etc and you cant edit/delete the comments of other users even if you are the owner
So I found a way to do that.
3.The Third bug was that the Pro Plan not allowed you to create more than one map and if you want to create more than once you need to upgrade the plan!
So I found a way to do that.
4.The four bug was that only the admin/owner can (Duplicate) the maps and no one else can do that !
So I found a way to do this with a lower role!.
5.The fifth bug was that only the admin/owner can edit/rename/delete/etc the (customization)
So I found a way to do this with a lower role!.
6.The sixth bug was that only the admin/owner can edit/rename/delete/etc the (settings) of team
So I found a way to do this with a lower role!.
7.The seventh bug was that the admin/owner allowed/unallowed the insights feature and if the admin/owner make this feature off the viewer role cant send any insights
So I found a way to do that.
8.The eighth bug was that there a endpoint call (feature) and this endpoint the viewer role cannot access/read/see_it
So I found a way to do that.