DEV Community: Karthikeyan Nagaraj

$35,000 Bounty: How Inappropriate Access Control Led to GitLab Account Takeover

Karthikeyan Nagaraj — Sun, 02 Mar 2025 17:47:35 +0000

Introduction
In cybersecurity, vulnerabilities can arise from the most unexpected defects. A recent account takeover vulnerability via password reset without user interaction demonstrated how a simple access control flaw could lead to full account compromise.

In this article, we will explain how the vulnerability was identified, how attackers exploited it, and how developers can secure web applications from similar threats.

Timeline
Date Reported: December 20, 2023
Severity: Critical (10.0 CVSS)
Bounty Awarded: $35,000
Disclosed: February 26, 2025

What is Account Takeover via Password Reset?
Password reset-based account takeover occurs when attackers manipulate the password reset feature of an application to gain unauthorized access to a user’s account. This flaw is often caused by improper validation or missing authorization checks.

How the Vulnerability Worked
The vulnerability was found in GitLab’s password reset functionality. It allowed attackers to receive password reset links intended for victims by modifying the request payload.

Steps to Exploit
Visit the Forgot Your Password? page...

Click Here to Read the Complete Article on Medium -

$35,000 Bounty: How Inappropriate Access Control Led to GitLab Account Takeover | by Karthikeyan Nagaraj | Mar, 2025 | Medium

Karthikeyan Nagaraj ・ Mar 1, 2025 ・
cyberw1ng.Medium

25,000$ Bounty — Simple SSRF Led to AWS Credentials Exposure

Karthikeyan Nagaraj — Fri, 28 Feb 2025 17:21:56 +0000

Timeline

📅 Reported: November 23, 2023
✅ Fixed: November 24, 2023
💰 Bounty: $25,000
Severity: Critical (9.8/10) Introduction Server Side Request Forgery (SSRF) is one of the most dangerous vulnerabilities in web applications, especially when it allows attackers to access internal services or cloud metadata endpoints. Recently, a researcher found a critical SSRF vulnerability in an Analytics Reports feature that exposed AWS credentials, which could potentially allow full control over cloud services. In this article, I’ll break down the vulnerability, how it was exploited, and how such attacks can be prevented. What is SSRF? Server Side Request Forgery (SSRF) happens when an attacker tricks a web server into making requests to internal services or external systems. Types of SSRF Attacks:
Basic SSRF — The attacker forces a server to make a request to an unintended destination.
Blind SSRF — The response is not visible to the attacker, but actions may still be executed on the target system.
SSRF to Internal Services — Attackers exploit internal APIs or cloud metadata endpoints, gaining unauthorized access.

Read the Complete Writeup on Medium - https://cyberw1ng.medium.com/25-000-bounty-simple-ssrf-led-to-aws-credentials-exposure-a6938e0875f9

Finding Juicy Information from GraphQL

Karthikeyan Nagaraj — Sun, 23 Feb 2025 08:48:33 +0000

Introduction
GraphQL APIs have become widely adopted due to their flexibility, but misconfigurations can expose sensitive data to unauthorized users. Attackers and bug bounty hunters often leverage GraphQL queries to extract:

🔎 Hidden API endpoints
🔎 User emails and credentials
🔎 Internal system data
🔎 Private reports and security information

In this article, we’ll explore practical techniques for extracting juicy information from GraphQL APIs, how attackers abuse these vulnerabilities, and how to harden your GraphQL endpoints against exploitation.

1️⃣ Finding Exposed GraphQL Endpoints
Before extracting sensitive data, you first need to locate the GraphQL endpoint. Common naming conventions for GraphQL APIs include:

Read the Complete Article on Medium

25000$ IDOR: How a Simple ID Enumeration Exposed Private Data

Karthikeyan Nagaraj — Sat, 22 Feb 2025 05:45:22 +0000

Timeline
June 28, 2022: A security researcher submits a report detailing a critical GraphQL vulnerability.
June 29, 2022: The issue is reviewed, and further information is requested.
July 1, 2022: The vulnerability is validated and escalated for internal review.
July 5, 2022: Severity increased to critical (9.3/10) due to the exposure of private report titles.
July 5, 2022: Researcher is awarded $25,000 for responsibly reporting the issue.
January 21, 2025: The report is publicly disclosed after complete mitigation.
Introduction: A Critical IDOR in GraphQL
Insecure Direct Object References (IDOR) remain one of the most commonly exploited vulnerabilities, often allowing unauthorized access to sensitive data.

In a recent high-severity bug bounty case, a researcher discovered a GraphQL endpoint misconfiguration that allowed unauthenticated users to enumerate object IDs and extract private bug bounty program details.

🔴 What was exposed?
✅ Private program names
✅ Scope details of security assets
✅ Titles of private reports

This vulnerability led to a $25,000 bounty payout. Let’s break down how the attack worked and how organizations can prevent such GraphQL-based IDOR vulnerabilities.

25000$ IDOR: How a Simple ID Enumeration Exposed Private Data | by Karthikeyan Nagaraj | Feb, 2025 | Medium

Karthikeyan Nagaraj ・ Feb 21, 2025 ・
cyberw1ng.Medium

Read the Complete Article on Medium

Exploiting GraphQL Vulnerabilities: How Misconfigurations Can Lead to Data Leaks

Karthikeyan Nagaraj — Fri, 21 Feb 2025 07:21:36 +0000

Introduction
GraphQL is a powerful API query language that allows clients to request exactly the data they need. While it improves flexibility and performance, improper GraphQL configurations can lead to serious security vulnerabilities, including:

🔴 Unauthorized data access
🔴 Sensitive information disclosure
🔴 Exploitation of misconfigured object IDs
🔴 Mass enumeration of private data

In a recent security report, a researcher discovered a severe GraphQL vulnerability that exposed sensitive data from a private system, earning a substantial bug bounty reward. This article explores how attackers exploit GraphQL vulnerabilities and how you can secure your APIs from similar threats.

1️⃣ How GraphQL Works and Its Security Risks
🔹 What is GraphQL?
GraphQL is an alternative to REST APIs that allows clients to fetch specific data by sending structured queries. Unlike REST, which returns fixed responses, GraphQL lets users define exactly what they need.

💡 Example GraphQL Query:

{
"query": "{user(id: 1) {name, email, role}}"
}
💡 Example Response:
...

Read the Complete Article on Medium

Exploiting GraphQL Vulnerabilities: How Misconfigurations Can Lead to Data Leaks | by Karthikeyan Nagaraj | Feb, 2025 | Medium

Karthikeyan Nagaraj ・ Feb 21, 2025 ・
cyberw1ng.Medium

$25,000 Bug Bounty for a GraphQL Security Flaw!

Karthikeyan Nagaraj — Thu, 20 Feb 2025 14:16:12 +0000

A security researcher recently uncovered a critical GraphQL vulnerability that exposed private bug bounty program details due to insecure object ID enumeration.

🔍 What was exposed? ✅ Private program names & security scopes ✅ Internal report titles ✅ Sensitive vulnerability details

How did it happen? The API did not properly restrict access to certain GraphQL queries, allowing an attacker to enumerate IDs and extract private data—a serious misconfiguration that could have led to further exploitation.

💡 Want to know how it was discovered and how to secure your GraphQL APIs?

👉 Read the full article on Medium: [link]

DEV Community: Karthikeyan Nagaraj

$35,000 Bounty: How Inappropriate Access Control Led to GitLab Account Takeover

$35,000 Bounty: How Inappropriate Access Control Led to GitLab Account Takeover | by Karthikeyan Nagaraj | Mar, 2025 | Medium

Karthikeyan Nagaraj ・ Mar 1, 2025 ・
cyberw1ng.Medium

25,000$ Bounty — Simple SSRF Led to AWS Credentials Exposure

Finding Juicy Information from GraphQL

25000$ IDOR: How a Simple ID Enumeration Exposed Private Data

25000$ IDOR: How a Simple ID Enumeration Exposed Private Data | by Karthikeyan Nagaraj | Feb, 2025 | Medium

Karthikeyan Nagaraj ・ Feb 21, 2025 ・
cyberw1ng.Medium

Exploiting GraphQL Vulnerabilities: How Misconfigurations Can Lead to Data Leaks

Exploiting GraphQL Vulnerabilities: How Misconfigurations Can Lead to Data Leaks | by Karthikeyan Nagaraj | Feb, 2025 | Medium

Karthikeyan Nagaraj ・ Feb 21, 2025 ・
cyberw1ng.Medium

$25,000 Bug Bounty for a GraphQL Security Flaw!

How a GraphQL Misconfiguration Exposed Sensitive Information: A $25,000 Bug Bounty Report | by Karthikeyan Nagaraj | Feb, 2025 | Medium

Karthikeyan Nagaraj ・ Feb 19, 2025 ・
cyberw1ng.Medium

DEV Community: Karthikeyan Nagaraj

$35,000 Bounty: How Inappropriate Access Control Led to GitLab Account Takeover

$35,000 Bounty: How Inappropriate Access Control Led to GitLab Account Takeover | by Karthikeyan Nagaraj | Mar, 2025 | Medium

Karthikeyan Nagaraj ・ Mar 1, 2025 ・ cyberw1ng.Medium

25,000$ Bounty — Simple SSRF Led to AWS Credentials Exposure

Finding Juicy Information from GraphQL

25000$ IDOR: How a Simple ID Enumeration Exposed Private Data

25000$ IDOR: How a Simple ID Enumeration Exposed Private Data | by Karthikeyan Nagaraj | Feb, 2025 | Medium

Karthikeyan Nagaraj ・ Feb 21, 2025 ・ cyberw1ng.Medium

Exploiting GraphQL Vulnerabilities: How Misconfigurations Can Lead to Data Leaks

Exploiting GraphQL Vulnerabilities: How Misconfigurations Can Lead to Data Leaks | by Karthikeyan Nagaraj | Feb, 2025 | Medium

Karthikeyan Nagaraj ・ Feb 21, 2025 ・ cyberw1ng.Medium

$25,000 Bug Bounty for a GraphQL Security Flaw!

How a GraphQL Misconfiguration Exposed Sensitive Information: A $25,000 Bug Bounty Report | by Karthikeyan Nagaraj | Feb, 2025 | Medium

Karthikeyan Nagaraj ・ Feb 19, 2025 ・ cyberw1ng.Medium

Karthikeyan Nagaraj ・ Mar 1, 2025 ・
cyberw1ng.Medium

Karthikeyan Nagaraj ・ Feb 21, 2025 ・
cyberw1ng.Medium

Karthikeyan Nagaraj ・ Feb 21, 2025 ・
cyberw1ng.Medium

Karthikeyan Nagaraj ・ Feb 19, 2025 ・
cyberw1ng.Medium