I love hunting on small scoped websites cause i can be assured that i have seen every corner and analyzed every endpoint of the that website
Program had 2 scopes.
target.com and admin.target.com
Now, since the website had not provided any credentials for admin.target.com i didn't have anything to test on that scope.
After hunting on target.com i found an endpoint named “meUser”.
As soon as i saw that i felt that i have found something.
Now, the only way to know if there is an endpoint named “meAdmin” was to do by analyzing the targets js file
After downloading all the js files I was manually going though them, and guess what.
I was right.
Now, reading the js file I found that this endpoint takes a jwt token value.
With no hope of success I supplied the jwt token i got from “target.com”.
and guess what. I was wrong.
The endpoint was taking the jwt token from a non-priviliged user and in response was giving me information like name,age,phone etc and the mistake it made was it provided me with another jwt token.
What could this token potentially mean.
I further analyzed the js files and found bunch of other endpoints like:
and all those endpoints were accessible from that token.
It was a realllly intresting and fun bug to exploit.
Thanks for reading :)