Logical Bug which let me stop Users from Creating Ads at a Website
I have found a vulnerability on a website. Using that bug I could stop users posting ads on that website. The impact of the bug is technically low but having high business impacts.
About the Web Application
The web application having many features, Any users can buy old used cars and any users can sell their old cars at this site. This site has forums so any user can post articles about cars and anyone can comment or like other's posts. To sell a car a user needs to post an ad at that site. To post an ad he needs to pay some amount to the site. After payment moderators approve his ad. After approval, everyone at the site can see his ad.
This is a private bug bounty program, I can't mention the site URL here. So assume the site URL as Site.xyz
What is the Type of Vulnerability?
The type of bug is a logical flaw. If an attacker can use or manipulate harmfully the working flow or the data flow of an application, It is called a logical flaw. I found this bug at the ad creating feature.
Working Flow of the Feature
As I told, I found the bug at the ad creating feature. To completely create an ad, a user should complete 5 steps. The bug present between 1st and 2nd steps.
- A user needs to enter the details of his car.
- Fillup his contact details
I sent the request to the repeater and submitted, I got the following 302 response.
The 302 redirection URL looks like : site.xyz/advert/details?advertid=4251070&sh=user. At this URL AdvertId is present. So I could understand the working flow. After submitting the 1st step, the Server allocates a specific id to the ad. And send 302 response to redirect to continue step 2.
My play with the Logic
How I Made it Works?
At this time URL site.xyz/advert/details?advertid=4251071&sh=user wascontinuously sent to server with 100 threads
At this time browser sent URL site.xyz/advert/details?advertid=4251071&sh=user to the server but before it sent, intruder sent this request to the server because of it continuously sending the same request with 100 threads.
So success ratio to the attacker and user is 100:1, So there are 100 times the chances to be received the attacker's request 1st than the user's request by the server.
The server receives the request of the attacker first, So Server set the attacker as the owner of the ad. The user can no longer access the ad. In intruder 200 Response was started to receive because at that time 4251071 was present and accessible by the attacker. If the user tried to access the ad with id 4251071, he would receive a 403 error.
How to Make it Works Continuously?
- No user can create ads at the site because after attacking that specific ad will belongs to the attacker.
- To create an ad, the user needs to pay some amount to the site if users are unable to create ads, the income of the site is affected.