It's all about fuzzing!
Hi,
Hope you guys are doing well. It's been decades since I shared anything! Moving on, recently I came across a very interesting issue in a Banking Application. So this application was allowing user to redeem the points which he has earned by doing transactions from his debit or credit card. Application was facilitating user to do several things from his earned points like to exchange those points for money or to recharge metro cards etc.
As a penetration tester, whenever any application is assigned to me, the first thing which I do is to create 2 virtual test list in my mind. One will be of the standard bugs and the other will related to the business logic of the application i.e. related to what application is dealing with. Same happened here also. And since this was a Banking Application while creating the test cases, adding "Negative Points Redemption" was sort of mandatory.
After initiating the points redemption process, I fired up my Burp, intercepted the request and added a "-" minus sign in the value of points to be redeemed. In the response of the application an error message stating "Kindly enter a valid amount!" was displayed. Even after trying different types of encoding I was not able to bypass it. After spending some time, I came to realize that application was using some kind of regex on the server for validating the user supplied values. And as we all know if not properly configured, regex can be easily bypassed. So there was still some hope left! Yay!!
Then suddenly I remembered that 2 months ago one of my friend and colleague Lokesh has exploited the same kind of issue. The bypass which he used to fool the regex was by supplying some value which regex is not expecting. And the value which he used was [-2000xyz]. So when regex receives this value on the server, it simply removes the alphabets from the entered value(since it was expecting numeric values from the users) and ended up allowing the negative value for processing.
Surprisingly this payload was not working in my case. But I decided to go little bit further and started fuzzing with different combinations of alphanumeric and special characters. And at last I hit the jackpot when one of my value was able to bypass the application regex. The value was ['-2000%abc]. Surprisingly single quote(') was necessary to fool the regex into accepting the negative value. And thus I was able to redeem negative points and as a result of which even after redeeming points, points were increasing in my account instead of decreasing.
Final Verdict:
Never give up on standard payloads, always try to fuzz with combination of different characters, because in the end bypassing security protection is all about fuzzing!!
Note: Main credit and inspiration of this post is Mr. Lokesh Sharma as he is the one who found the bypass in the first place. He has written some great content, do check them out. Below is the link to his profile: https://www.dhirubhai.net/in/lokesh-sharma-28322878/
Keep learning and keep sharing!!
CSO - Chief Security Officer | DPO - Data Protection Officer | Digital Forensic Investigator | Senior Pentester | Bug Bounty Hunter | OSINT Search Party Volunteer | Membro ANPPD?
6 年I had to leave a private bug bounty program, because the CSO of the company was complaining about parameter fuzzing :)
Application Security
6 年Gr8 Research????????
Certification in EHCE from US-Council and keen to join in any information security field
6 年Share me vacancies in cyber security
Lead Cyber Security Specialist at Grab
6 年Good going... :D
CSO - Chief Security Officer | DPO - Data Protection Officer | Digital Forensic Investigator | Senior Pentester | Bug Bounty Hunter | OSINT Search Party Volunteer | Membro ANPPD?
6 年I agree