Alhamdullilah, I was awarded 4x$ bounty. Single API call could leak 1MILLION+ users private data I use these %03 %08 %10 %83 etc when I get 403 along with "403 in Api response". means we are beyond WAF but some regex/restrictions/auth-checks are stopping us to get Users data.

( chained "blocked user + Region based Authentication + Pass Reset Flaw to SECOND ORDER ATO") And Triager thought "Attacker would need access to victim's gmail account to perform Second Order Account Takeover." haha Closed N/A Reopened Critical 10 writeup coming Inshallah

Able to access Million+ emails $: API Implementation: /organization/:id => only org name shown /organization/:id/users => 403 typical response /organization/:id/users?get=newfolder => 403 with response & error msg (auth) /organization/:id/users?get=users::metadata => BOOM

Quick Account Takeover in a minute: Auth Implementation: After signup ,user change email to unsigned user, session refreshes ,email changed/confirmed to unsigned user. change to [email protected] =>user exists change to "[email protected]<SPACE>" or %20 =>200 ok victim id got 2 passwords

In February what ever I submitted was loss, I have been removed from my University Final Year Project due to low maintenance of Credit Hours of our so called reputed HEC bcz I was busy with bounties. So far I would ( maybe ) repeat one more semester of degree👏.

Organisation Users Complete Data leaked: /api/users => 403 /api/users/all => 403 (json) /api/users/all/name,email,data => 404 /api/users/all?FUZZ=FUZZ /api/users/all?fields=name => 200 ( LOW ) only name was queryable /api/users/all?access=all => BOOOM (email, credit_card etc)

Thounsand org users leaked /api/org/123 => leaked ORG_NAME only /api/org/123/* => 403 /api/org/123/users =>403 /api/org/ORG_NAME/users =>403 /api/org/@org_name/users => 500 /api/org/@org_name/users/attributes => blank response /api/org/@org_name/users/attributes/email => BOOOM

API Leaked all Users Secrets: /v1/org/users=403 /v1/org/admin/users=401 /v1.1/org/admin_id/users=200 (blank response) /v1.1/org/admin_id/users?FUZZ=FUZZ /v1.1/org/admin_id/users?Withrole=true 401(body unauthorised) /v1.1/org/admin_id/users?With[mail,credit_card,apikey]=true BOOM

P1 in 1 minute for 4*$: user can invite members with “org-member” role only tried “org-xyz” = 400 Read JS files: tried “org-super-admin” & “org-owner” = 401 Bypassed: “org-owner<space>“ = 200 BOOOM

Started testing program of 2017, out of 200 subdomains I chose the main app (which I always do) as it communicate with current API . After 2 days of testing after office for 3 hours a day, I was able to find 5 Crtx, 3 High, 8 mediums. All were related to API's I shared before

Just submitted my first Smart Contract Bug to the DeFi Protocol, big thanks to Owen, & @gogotheauditor for their public audits.