JavaScript analysis leading to Admin portal access

I love hunting on small scoped websites cause i can be assured that i have seen every corner and analyzed every endpoint of the that website

Program had 2 scopes.

target.com and admin.target.com

Now, since the website had not provided any credentials for admin.target.com i didn't have anything to test on that scope.

After hunting on target.com i found an endpoint named “meUser”.
As soon as i saw that i felt that i have found something.

Now, the only way to know if there is an endpoint named “meAdmin” was to do by analyzing the targets js file

After downloading all the js files I was manually going though them, and guess what.

I was right.

Now, reading the js file I found that this endpoint takes a jwt token value.

With no hope of success I supplied the jwt token i got from “target.com”.

and guess what. I was wrong.

The endpoint was taking the jwt token from a non-priviliged user and in response was giving me information like name,age,phone etc and the mistake it made was it provided me with another jwt token.

Hmmmm,intresting.

What could this token potentially mean.

I further analyzed the js files and found bunch of other endpoints like:
GetUser,GetLocation etc

and all those endpoints were accessible from that token.

It was a realllly intresting and fun bug to exploit.

Thanks for reading :)

I hunt for bug sometimes :)

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store