Unauthenticated API Endpoint to Create Support Ticket Worth $500
Hello hackers, I am back with a new bug bounty write-up. In this blog, I am going to show how I am able to create a support ticket on behalf of other user without any authentication in one of the Unicorn of India. The company is having a public bug bounty program on Hackerone. I will be using redacted.com as the main domain.
The company is a technology platform through which customers book different types of services.
www.redacted.com and api.redacted.com are in scope. As usual, I started exploring the application and capturing every request in the proxy tool burp suite. redacted.com is the main domain but all the traffic routes through api.redacted.com. I used the company in the past to book some services so I have some bookings in my account.
There is an option to raise a support ticket for your bookings. When you raise a ticket, a POST request is sent to the endpoint https://api.redacted.com/api/v2/marketplace/ticketV2/createTicket with body {"city_key":null,"userId":"hashed_user_id","referenceId":"booking_id","issueType":"send_email_invoice","sourceKey":"help_center"}. In the request, referenceId == booking_id. From Burp Suite, I replayed the same request without an authentication token, and when I checked the ticket tab in my profile, I saw that a support ticket has been raised without authentication.
