Marktplaats http://www.marktplaats.nl/ is a website owned by eBay that allows users to buy and sell products in addition to posting jobs.
The job management feature got my interest. I added a job and played with the job removal feature.
If you click on the remove link, a request like the one below will be sent
When I pulled the trigger and tried to tamper the jobid to a jobid of another user that I created, it gave me authorization bypass error :-(
So, I postponed my tampering and moved towards the next step in the job removal process. The next step was the delete confirmation:
When I clicked on the "Delete" button, I tampered the jobid
The server responded to me with
It was a 302 status that redirected me to the successful deletion page. We have a vulnerability :-)
This is the normal scenario the app was expecting:
This is what the attacker can do
Marktplaats fixed the issue and sent me a token of appreciation. I was not rewarded because another researcher has already reported the vulnerability.
Marktplaats bug bounty rules link is on http://statisch.marktplaats.nl/help/responsible_disclosure_policy_en.html
The job management feature got my interest. I added a job and played with the job removal feature.
If you click on the remove link, a request like the one below will be sent
When I pulled the trigger and tried to tamper the jobid to a jobid of another user that I created, it gave me authorization bypass error :-(
So, I postponed my tampering and moved towards the next step in the job removal process. The next step was the delete confirmation:
When I clicked on the "Delete" button, I tampered the jobid
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgg1ns-56zFCBh4Gk4CQ4Kq63e6kA-e7vcyIOYWe_SrQ1xtfSB3oepXH42I-2QnvAxCGXZ7rQFKAKbcFYKlTI4ak4XejIXaRcQAqrjLIlfzInyCWbnMfEzKgVgFLRRIuv557uzg8lGEw0w/s1600/tamper.png)
The server responded to me with
This is the normal scenario the app was expecting:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgRYBVKLfNb0MOqDexLny4sxmGiKUTwRuA4huN4gjdC8Dg9r9HUFGSbvj6q4lCHCoXHQvhFAIxwjlP6YrT0fsY2sJIr9qMSBhOdDSVGx7fnW5bFI6O9l-RlyS2d48OAtF2w9IFQUKWgh6A/s1600/normal.png)
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiszCFcSL8DzlDItoobmnP-_SjZHZh5BMkOmdw4s6JxEGzoP8dKbYrJ4GGiw6TWAdXtpHEigZhqf1Pti06rtKSlQbU-PNG7cfK1ZC-6aCSWEt66un64IE49a1lnV8K_Uvdl3E5Qerx08W4/s1600/attack.png)
Marktplaats fixed the issue and sent me a token of appreciation. I was not rewarded because another researcher has already reported the vulnerability.
Marktplaats bug bounty rules link is on http://statisch.marktplaats.nl/help/responsible_disclosure_policy_en.html
No comments:
Post a Comment