DEV Community: shemkar The latest articles on DEV Community by shemkar (@shemkar). https://dev.to/shemkar https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F3794510%2Fc473b802-88d2-42eb-b4ab-c701179fa2cf.png DEV Community: shemkar https://dev.to/shemkar en One Extra JSON Key: How a Harmless Profile Endpoint Became an ATO Candidate shemkar Sun, 26 Apr 2026 21:04:52 +0000 https://dev.to/shemkar/one-extra-json-key-how-a-harmless-profile-endpoint-became-an-ato-candidate-57ni https://dev.to/shemkar/one-extra-json-key-how-a-harmless-profile-endpoint-became-an-ato-candidate-57ni <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fcx1jnarwp8hv2m98caqr.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fcx1jnarwp8hv2m98caqr.png" alt=" " width="800" height="1000"></a></p> <p><strong>The harmless profile endpoint that taught me how real bugs work</strong></p> <p>Early in my bug bounty journey, I found a bug that looked simple from the outside, but it changed the way I think about web security.</p> <p>At that time, I didn’t know how to write strong reports.<br> I knew how to test manually.<br> I knew how to follow weird backend behavior.<br> But I didn’t fully understand that finding a bug is only half of the work.</p> <p>The other half is proving impact clearly.</p> <p>The bug started from a normal profile update endpoint.</p> <p>Nothing fancy.<br> No admin panel.<br> No scanner.<br> No magic.</p> <p>Just this kind of request:</p> <p><strong>Test target</strong> <code>https://example.com</code><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight http"><code><span class="nf">PATCH</span> <span class="nn">/api/users/me</span> <span class="k">HTTP</span><span class="o">/</span><span class="m">2</span> <span class="na">Host</span><span class="p">:</span> <span class="s">example.com</span> <span class="na">Content-Type</span><span class="p">:</span> <span class="s">application/json</span> <span class="na">Cookie</span><span class="p">:</span> <span class="s">session=&lt;redacted&gt;</span> <span class="p">{</span><span class="w"> </span><span class="nl">"time_zone"</span><span class="p">:</span><span class="w"> </span><span class="s2">"Africa/Casablanca"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <p>At first, this endpoint looked harmless.</p> <p>It was supposed to update normal user-controlled profile fields like timezone, language, or basic settings.</p> <p>But I asked myself one simple question:</p> <p><strong>What happens if the backend receives fields that the frontend never sends?</strong></p> <p>So I added sensitive parameters manually:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight http"><code><span class="nf">PATCH</span> <span class="nn">/api/users/me</span> <span class="k">HTTP</span><span class="o">/</span><span class="m">2</span> <span class="na">Host</span><span class="p">:</span> <span class="s">example.com</span> <span class="na">Content-Type</span><span class="p">:</span> <span class="s">application/json</span> <span class="na">Cookie</span><span class="p">:</span> <span class="s">session=&lt;redacted&gt;</span> <span class="p">{</span><span class="w"> </span><span class="nl">"time_zone"</span><span class="p">:</span><span class="w"> </span><span class="s2">"Africa/Casablanca"</span><span class="p">,</span><span class="w"> </span><span class="nl">"email"</span><span class="p">:</span><span class="w"> </span><span class="s2">"attacker@example.com"</span><span class="p">,</span><span class="w"> </span><span class="nl">"is_instructor"</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="p">,</span><span class="w"> </span><span class="nl">"role"</span><span class="p">:</span><span class="w"> </span><span class="s2">"admin"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <p>A secure backend should never allow a normal user to control fields like:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="nl">"email"</span><span class="p">:</span><span class="w"> </span><span class="s2">"attacker@example.com"</span><span class="p">,</span><span class="w"> </span><span class="nl">"is_instructor"</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="p">,</span><span class="w"> </span><span class="nl">"role"</span><span class="p">:</span><span class="w"> </span><span class="s2">"admin"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <p>The frontend is not security.</p> <p>Even if the UI never sends <code>role</code>, <code>is_instructor</code>, or sensitive account fields, an attacker can still add them manually in Burp Suite, curl, or any HTTP client.</p> <p>The real security decision must happen on the backend.</p> <p>In my case, the server accepted the request.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight http"><code><span class="k">HTTP</span><span class="o">/</span><span class="m">2</span> <span class="m">200</span> <span class="ne">OK</span> <span class="na">Content-Type</span><span class="p">:</span> <span class="s">application/json</span> </code></pre> </div> <p>Back then, I was excited because I saw <code>200 OK</code>.</p> <p>But later I learned one of the most important lessons in bug bounty:</p> <p><strong>A 200 OK is not impact.</strong><br> <strong>Persistence is impact.</strong><br> <strong>A protected action unlocked by that persistence is impact.</strong></p> <p>So the real questions are not:</p> <p>“Did the server return 200?”</p> <p>The real questions are:</p> <ul> <li>Did the email actually change?</li> <li>Was password confirmation bypassed?</li> <li>Was email verification bypassed?</li> <li>Did the role change only in the UI, or did it affect authorization?</li> <li>Could the attacker use password reset after changing the email?</li> <li>Could the user access instructor/admin-only functionality after modifying role-related fields?</li> </ul> <p>That is where a harmless profile endpoint can become dangerous.</p> <p>This pattern is called <strong>Mass Assignment</strong>.</p> <p>It happens when the backend maps incoming JSON fields directly into a user object or database model without a strict allowlist.</p> <p>The developer expects something like:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="nl">"time_zone"</span><span class="p">:</span><span class="w"> </span><span class="s2">"Africa/Casablanca"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <p>But the backend also accepts:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="nl">"time_zone"</span><span class="p">:</span><span class="w"> </span><span class="s2">"Africa/Casablanca"</span><span class="p">,</span><span class="w"> </span><span class="nl">"email"</span><span class="p">:</span><span class="w"> </span><span class="s2">"attacker@example.com"</span><span class="p">,</span><span class="w"> </span><span class="nl">"is_instructor"</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="p">,</span><span class="w"> </span><span class="nl">"role"</span><span class="p">:</span><span class="w"> </span><span class="s2">"admin"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <p>The problem is not that the attacker can send extra fields.</p> <p>Anyone can send extra fields.</p> <p>The problem is when the backend trusts them.</p> <p>For the <strong>Account Takeover</strong> angle, the proof should be:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>1. Attacker has temporary access to an authenticated session. 2. Attacker changes the account email through the API. 3. No password confirmation is required. 4. No old email verification is required. 5. Attacker logs out. 6. Attacker uses "Forgot Password". 7. Password reset link goes to the attacker-controlled email. 8. Victim loses control of the account. </code></pre> </div> <p>For the <strong>Privilege Escalation</strong> angle, the proof must be stronger than just saying <code>"role":"admin"</code> was accepted.</p> <p>The important proof is:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight http"><code><span class="nf">GET</span> <span class="nn">/api/instructor/dashboard</span> <span class="k">HTTP</span><span class="o">/</span><span class="m">2</span> <span class="na">Host</span><span class="p">:</span> <span class="s">example.com</span> <span class="na">Cookie</span><span class="p">:</span> <span class="s">session=&lt;regular_user_session&gt;</span> </code></pre> </div> <p>Before the attack:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight http"><code><span class="k">HTTP</span><span class="o">/</span><span class="m">2</span> <span class="m">403</span> <span class="ne">Forbidden</span> </code></pre> </div> <p>Then send:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight http"><code><span class="nf">PATCH</span> <span class="nn">/api/users/me</span> <span class="k">HTTP</span><span class="o">/</span><span class="m">2</span> <span class="na">Host</span><span class="p">:</span> <span class="s">example.com</span> <span class="na">Content-Type</span><span class="p">:</span> <span class="s">application/json</span> <span class="na">Cookie</span><span class="p">:</span> <span class="s">session=&lt;regular_user_session&gt;</span> <span class="p">{</span><span class="w"> </span><span class="nl">"is_instructor"</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="p">,</span><span class="w"> </span><span class="nl">"role"</span><span class="p">:</span><span class="w"> </span><span class="s2">"admin"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <p>After the attack:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight http"><code><span class="nf">GET</span> <span class="nn">/api/instructor/dashboard</span> <span class="k">HTTP</span><span class="o">/</span><span class="m">2</span> <span class="na">Host</span><span class="p">:</span> <span class="s">example.com</span> <span class="na">Cookie</span><span class="p">:</span> <span class="s">session=&lt;same_regular_user_session&gt;</span> </code></pre> </div> <p>If the result becomes:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight http"><code><span class="k">HTTP</span><span class="o">/</span><span class="m">2</span> <span class="m">200</span> <span class="ne">OK</span> </code></pre> </div> <p>That is real impact.</p> <p>Not the field.<br> Not the response.<br> The action unlocked by the field.</p> <p>That was the mistake I made in the beginning.</p> <p>I focused too much on the parameter modification, and not enough on the final proof chain.</p> <p>I thought:</p> <p><strong>“The role changed. The email changed. This is obviously serious.”</strong></p> <p>But triagers and developers do not work with emotion.</p> <p>They need a clean chain:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Before → blocked Exploit → accepted After → protected action unlocked </code></pre> </div> <p>This bug pushed me to improve.</p> <p>It taught me that business logic bugs are not about sending random payloads.</p> <p>They are about understanding trust.</p> <p>Who controls this field?<br> Who should control this field?<br> What changes if this value is accepted?<br> What can I do after the backend persists it?</p> <p>That mindset changed how I hunt.</p> <p>Now, when I see an endpoint like:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight http"><code><span class="err">PATCH /api/users/me </span></code></pre> </div> <p>I don’t only test the fields visible in the UI.</p> <p>I test the trust boundary.</p> <p>I ask:</p> <ul> <li>Does the backend use an allowlist?</li> <li>Does it ignore unexpected fields?</li> <li>Can I modify email without re-authentication?</li> <li>Can I modify role-like fields?</li> <li>Can I modify verification flags?</li> <li>Can I modify account type, plan, permissions, or security settings?</li> <li>Does the value persist server-side?</li> <li>Does it unlock a real action?</li> </ul> <p>For developers, the fix is not “hide the field from the frontend”.</p> <p>The fix must be server-side.</p> <p>A secure backend should:</p> <ul> <li>Use a strict allowlist of editable fields.</li> <li>Reject or ignore sensitive fields like <code>role</code>, <code>is_admin</code>, <code>is_instructor</code>, <code>email_verified</code>, <code>permissions</code>, <code>plan</code>, <code>balance</code>, <code>account_type</code>.</li> <li>Require password confirmation or re-authentication for sensitive account changes.</li> <li>Require email verification before replacing the primary email.</li> <li>Never trust frontend-controlled authorization fields.</li> <li>Log sensitive account modifications.</li> <li>Add rate limits and security challenges for repeated email changes.</li> </ul> <p>A secure response should look like this:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight http"><code><span class="nf">PATCH</span> <span class="nn">/api/users/me</span> <span class="k">HTTP</span><span class="o">/</span><span class="m">2</span> <span class="na">Host</span><span class="p">:</span> <span class="s">example.com</span> <span class="na">Content-Type</span><span class="p">:</span> <span class="s">application/json</span> <span class="p">{</span><span class="w"> </span><span class="nl">"time_zone"</span><span class="p">:</span><span class="w"> </span><span class="s2">"Africa/Casablanca"</span><span class="p">,</span><span class="w"> </span><span class="nl">"role"</span><span class="p">:</span><span class="w"> </span><span class="s2">"admin"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <p>Expected secure behavior:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight http"><code><span class="k">HTTP</span><span class="o">/</span><span class="m">2</span> <span class="m">400</span> <span class="ne">Bad Request</span> </code></pre> </div> <p>Or:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="nl">"error"</span><span class="p">:</span><span class="w"> </span><span class="s2">"role is not an editable field"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <p>This bug did not pay me.</p> <p>But it paid me in experience.</p> <p>It taught me that a boring endpoint can hide:</p> <ul> <li>Mass Assignment</li> <li>Missing re-authentication</li> <li>Email change bypass</li> <li>Account takeover chains</li> <li>Weak authorization logic</li> <li>Privilege escalation</li> <li>Dangerous backend trust assumptions</li> </ul> <p>It also taught me that a weak report can kill a strong bug.</p> <p>Today, I try to prove impact better.</p> <p>Not just:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="nl">"role"</span><span class="p">:</span><span class="w"> </span><span class="s2">"admin"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <p>But:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>What changed? Where did it persist? What security control was bypassed? What protected action became possible? How can the developer reproduce it in 2 minutes? </code></pre> </div> <p>That is the difference between guessing and understanding.</p> <p>No target names.<br> No private data.<br> No drama.</p> <p>Just one lesson:</p> <p><strong>Sometimes the most dangerous bugs are not hidden in complex exploits.<br> Sometimes they are hidden in one extra JSON key.</strong></p> testing webtesting api cybersecurity