how I found a critical bug using response manipulation
Hello everyone! It’s been a while since my last writeup. I’ve been away from bug bounty hunting, but in this writeup, I’ll share how I found a critical bug using response manipulation.
First, I apologize for any language mistakes. Let’s get started! One day, I was doing a quick pentest on an internal website, like many bug hunters do. I began by gathering the subdomains of the target and used httpx to identify live subdomains. If there were only a few subdomains (10 to 20), I would test them one by one. However, if there were many, I focused on the more interesting ones and performed my recon.
After some investigation, I discovered a few vulnerabilities and reported them. I then sent a list of the subdomains that I found to the admin, asking if there were any more that I might have missed. The admin kindly sent me a list of additional subdomains. It turned out that these subdomains were in different languages, which is why I couldn’t find them initially. I also didn’t do subdomain brute forcing.
I tested the new subdomains one by one and eventually found a login page. I tried common username and password combinations like admin:admin, test:test, and adminName:test, but none worked. Then, I tried using test as both the username and password. While logging in, I captured the request and noticed that the request was using JSON. The response was a 404 Not Found error, so I decided to change the response header to 200 OK and modify the body to {"status":true}.
And booooom! I bypassed the login page and accessed the panel. That’s the story of how I found this bug. I hope you enjoyed this short writeup. Keep hacking for good!
