I found an interesting bug in private program I would like to share with y’all and I hope you find this write-up is helpful
so let’s get started!
Info about the target
it’s a financial company that provides virtual and physical cards
so I after some recon and understanding the target well I found a function for creating the virtual and the physical card and I found that’s when you create a virtual card you can read card details without any other steps
overwise the physical card is different you need the pin code behind the card and you can’t do this without getting the card delivered and it costs 5$ too :)
so let’s take a look in pin code request
and response looked like this
so basically there is a rate limit so it’s not brute-forceable
i tried to bypass the rate limit but no luck :(
if found endpoint that activates the card with the card UUID only!
as you can see the difference is the truncated_pan(pin code)
so I tried this endpoint and I was shocked!
and it worked successfully!
so I was still wondering what this request is for ???
and after some investigation, I found this for activating the virtual card if the user disabled it manually!
so basically bypass the PIN code protection by using the virtual card activate request in the physical card by replacing the card uuid!
Tips for Pentester
always read js files and analyze it.
and literally, click on every button/ function you can find and read the requests and think what you can do with this, this is how you can build a hacker mindset :)
and that’s it I hope you liked my first write-up and I hope you learned something new :)
see you in the next write-up , bye