I don’t do bug bounty quite often because it’s very hard to find something interesting and to be the first reporter… but the other day was different.
I opened my email and saw an invitation for a private Hackerone program. I took a look at it and the bounties were attractive so I said why not?
FIRST STAGE ( Recon )
Scope was very reduced, only two hosts:
I created an account and then I started to sniff my traffic with Burp, first look revealed that they were using Auth0 for handling authentication, Express.JS for the web and JWT for sessions.
First thing I tried was to change the alg of JWT to none and then impersonate some employee but that its too obviously. None is not an algorithm valid said an error message.
One feature of the application is you can invite users to a group and then change their account’s privileges/scopes.
Read the article