Exploiting Application Logic to Referral Code Disclosure

The target was a food delivery application, there was a functionality of referral code to invite someone and get cashback for that in the wallet but the user only get the referral code after placing first order, i exploited application logic to get referral code without placing order

As I am not active on bugbounty from some time due to my OSWE exam, and was only focused on whitebox approach, but recently I got invitation for missions on a target on synack, I claimed some missions and started completing that, it took nearly one hour to complete, in between that I found a interesting thing below is a complete description

There was a “My Account” tab where I can see my profile information and can update the details, on the same page I saw a functionality of referral code Invite Friends, Earn Credits, when I click on that I got a popup saying

The referral code will be available once you have places your first order

After that I started testing other functions, when I was testing the profile update form, for updating the profile there is a request like below

PUT /v1/customer/UUID/profile


Sent this request to repeater for testing of authorisation by changing UUID and other data, after testing for some hours, I got nothing, after this I thought to test what data I can get from this endpoint

I changed PUT with GET and removed all data from the body


GET /v1/customer/UUID/profile


And in response I got JSON data with a key named referralCode with it’s value, remember that we cannot get this without placing first order, reported this to synack, it got disputed and SRT asked for more information and proper impact

The target was still active so I took some more POC and modified the report with it, also explained the financial impact on the client business due to this, the report got accepted and got rewarded the next day

Written on July 9, 2020 by Vaibhav Joshi