How I Discovered an API Security Issue: My First Bug Bounty Blog

hackersatty
3 min readDec 1, 2024

--

About Me

Hi everyone! My name is Satyam Pawale, also known as @hackersatty in the bug bounty world. I started bug hunting in 2024 and have been passionate about finding security vulnerabilities ever since. Today, I’m excited to share my first blog, where I’ll talk about how I found a critical API security issue.

This blog is meant to share my experience and help others learn from it. If you like it or have any feedback, feel free to drop a comment below. Let’s get started!

What I Found

During one of my testing sessions, I came across a staging API of a website (let’s call it example.com). While exploring the API’s Swagger UI (a tool used to document and test APIs), I noticed something unusual:

Some critical API endpoints, like account creation and password reset, were open to anyone without requiring authentication.

This meant an attacker could:

  • Create new accounts.
  • Reset passwords.
  • Perform other sensitive actions, all without being logged in.

How It Happened

Here’s what I did step by step:

  1. Swagger UI Access:
    I opened the Swagger UI of the API at https://staging-api.example.com/#/User/createUser.
  1. Sending a Request:
    Using the /User/createUser endpoint, I sent a POST request with details like email, name, and password.
  2. Successful Account Creation:
    Even though I wasn’t logged in, the API responded with a success message, and the account was created.

Proof of Concept

Here’s an example of the request I sent to create a user:

{
"email": "user@example.com",
"password": "Test@123",
"firstName": "Example",
"lastName": "User",
"birthdate": "2000-01-01",
"newsletter": true
}

And just like that, the account was created!

The Impact

This vulnerability could cause serious problems, such as:

  1. Mass Account Creation:
    Attackers could create a lot of fake accounts, causing issues for the environment.
  2. Unauthorized Access:
    Password reset and application creation endpoints were also accessible, which could lead to misuse.
  3. Risk to Production:
    If the staging environment is connected to production, it could expose sensitive data or weaken overall security.

How to Fix This

Here’s what I suggested to the company to fix the issue:

  1. Add Authentication:
    All sensitive endpoints should require authentication, like session tokens or API keys.
  2. Secure Swagger UI:
    Access to the Swagger UI should be restricted, either by requiring a login or limiting it to internal use.
  3. Regular Security Audits:
    Organizations should regularly test their APIs to find and fix such issues early.

Key Takeaways

This experience taught me a lot about API security. Here’s what I’d like you to remember:

  1. Staging is Important:
    Staging environments are often ignored but can expose vulnerabilities just like production.
  2. APIs Need Protection:
    Always secure APIs with proper authentication and authorization.
  3. Keep Learning:
    Bug hunting is all about being curious and improving your skills. Don’t hesitate to try new tools and techniques.

Final Thoughts

This was my first major bug report, and it was an exciting learning experience. Sharing this story is just the beginning of my journey in writing blogs to help others in the bug bounty and security community.

I hope this blog inspires you to test staging environments and look deeper into API security. If you found it helpful, let me know in the comments. I’d love to hear your thoughts and ideas.

Until next time, happy bug hunting! 😊

--

--

hackersatty
hackersatty

Written by hackersatty

Bug Bounty Hunter!:) @Hacker0x01

Responses (4)