KeffHey there! 👋
I was doing a bit of bug-hunting in an old project of mine when I found an interesting bug. Can you find it?
If you know your security or PHP this might be quite easy for you. Otherwise, it might be a good exercise.
!! Don't look at the comments to prevent spoilers if you want to solve it by yourself !!
This is the request you would make to the server:
curl --location --request POST 'https://super.secure-api.com/check-pin' \
--header 'Content-Type: application/json' \
--header 'Authorization: Bearer <token>' \
--data-raw '{
"pin": <you_answer>
}'
And this is the code for that given endpoint (/check-pin)
if($params['pin'] != $user->getPin()) {
throw new HttpException(403, "The pin is incorrect");
}
return "The pin is correct!";
PD: This is just a demo, not real code. You should never check passwords/pins/secrets like this.
What input would you need to pass as pin to be able to bypass the check?
I will release a post in a couple of days explaining the bug in detail and how to fix it.
