Business Logic Errors on a Porn Site — $$$$ Bounty

Hi Everyone, 大家好，

I was getting bored on last saturday, so I invited one of my friend to my flat to join me for bug hunting.
上周六我感到无聊，所以我邀请我的一个朋友到我的公寓和我一起寻找虫子。

The fun part is: THE TARGET WAS A WELL KNOWN PORN SITE.
有趣的部分是： 目标是一个著名的色情网站。

It is a private program and they give good bounty for interesting security vulnerabilies.
这是一个私人程序，它们为有趣的安全漏洞提供了丰厚的赏金。

We reported 3 Bugs, 1 XSS for which we bypassed the WAF using payload <svg/onload=alert%26%230000000040document.cookie)> and it gave an XSS pop-up bypassing cloudflare protection.
我们报告了 3 个错误，其中 1 个 XSS 我们使用有效负载绕过了 WAF 

The other two bugs were Business Logic errors:
另外两个 bug 是业务逻辑错误：

1. Ability to Watch Unlimited Paid Porn in Full HD Quality , without paying anything.
   能够以全高清质量观看无限付费色情片，无需支付任何费用。
2. Ability to control and put negative consumption rate on porn videos and makes the minutes last forever in your timebank.
   能够控制色情视频的负面消费率，并使分钟永远在您的时间银行中持续。

Lets discuss the first one…
让我们讨论第一个……

While playing a porn video, we were getting a pop-up to purchase subscriptions(in form of minutes) to watch the videos. We intercepted the request and manipulated isPreview parameter’s value from false to true.
在播放色情视频时，我们收到一个弹出窗口，用于购买订阅（以分钟的形式）来观看视频。我们截获了该请求，并将 isPreview 参数的值从 false 操作为 true。

And boom, the full length porn started playing.
砰的一声，全长色情片开始播放。

And we were like: 我们想：

The bug was immediately remediated and considered a critical vulnerability as it damages the main business logic of the porn site and allows anyone to watch all the HD full-length porn for free.
该漏洞立即得到修复，并被认为是一个严重漏洞，因为它破坏了色情网站的主要业务逻辑，并允许任何人免费观看所有高清全长色情内容。

Now lets talk about the second bug.
现在让我们谈谈第二个错误。

We observed an API response where the consumptionRate for a porn video was mentioned in the API request in the one of the json parameter, its dafult value was 1.0 , we changed it to negative value -10 . And there was a consumptionRateConfirmationRequired Parameter whose default value was set to false, we changed in to true while intercepting response on burpsuite.
我们观察到一个 API 响应，其中 API 请求中的 json 参数之一提到了色情视频的 consumptionRate，其 dafult 值为 1.0 ，我们将其更改为负值 -10 。并且有一个 consumptionRateConfirmationRequired 参数，其默认值设置为 false，我们在拦截 burpsuite 上的响应时更改为 true。

When we forwarded the response, a new POST request was triggered with consumptionRate parameter value as -10.
当我们转发响应时，触发了一个新的 POST 请求，其 consumptionRate 参数值为 -10。

And then, the consumption rate as a negative -10 was accepted by the application and the UI showed this message:
然后，应用程序接受负 -10 的消耗率，UI 显示以下消息：

Hence, the minutes consumption rate on porn videos can be controlled using this vulnerability and one can use limited minutes in his timebank for a very very very long time.
因此，可以使用此漏洞控制色情视频的分钟消耗率，并且可以在非常非常长的时间内使用时间银行中的有限分钟数。

The vulnerabilities are reported and accepted.
这些漏洞被报告并被接受。

The company offered $$$$ bounty for the responsible disclosure.
该公司为负责任的披露提供了$$$$的赏金。

I hope you enjoyed reading the write-up!! See ya later, white-hats.
我希望你喜欢阅读这篇文章！白帽子，待会儿见。

原文始发于vFlexo：Business Logic Errors on a Porn Site — $$$$ Bounty