Potentially Juicy Leak?

Hello all! So, I stumbled upon something semi-interesting, I am just trying to figure out a better way to enumerate and see if I get anymore information:

Sending the below request:

	GET /v1/invite-stats-by-invitee/WlUjMu/ HTTP/1.1
	Host: api.hostdomain.com
	User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:67.0) Gecko/20100101 Firefox/67.0
	Accept: application/json, text/plain, */*
	Accept-Language: en-US,en;q=0.5
	Accept-Encoding: gzip, deflate
	If-Modified-Since: Mon, 26 Jul 1997 05:00:00 GMT
	Origin: https://hostdomain.com
	DNT: 1
	Connection: close
	Referer: https://hostdomain.com/?i=WlUjMu

Responds with:

	{"url":"https://api.hostdomain.com/v3/invite-stats-by-invitee/WlUjMu/","fullname":"First and Last Name","user":{"picture":"https://api.hostdomain.com/userprofile-image/11761/","first_name":"Firstname"},"key":"WlUjMu","send_reminders":true,"extras":"{}"}

The WlUjMu is the value from a JSON “key” parameter; however, I need to find a way to enumerate that string. I sent the domain with the /userprofile-image/11761 to Intruder and I’m getting valid information by finding user profile pics; however, I can’t associate those ID’s with their respective JSON “key” parameter to get more information on those users. It does not appear to be Base64 and Intruder is not working the way I intended it to. Is this a red herring or would this be something valid to continue to pursue? If so, is there an easier way to enumerate a string such as that in Intruder (or another way)? I have been frying my brain here and I think I’m looking too deep into it.

So intruder could do this. It’s ‘customer’ iterator then assign 6 different payloads and assign the keyspace ‘So a-z and A-Z’. But then with that level of entropy you’re looking at over 400,000,000 requests… :S
There are probably other ways to do this with other tools but Intruder can do it fine…

1 Like

Hello @ARKADA, yeah, that was my challenge. That’s what I didn’t intend Intruder to do. I am not finding an easier way to do it and I honestly don’t want to waste the time if it’s a red herring. Thank you for your reply, I appreciate it!

Don’t let it discourage you. I’d still try but place a throttle on it (like 1-2 requests a second) and let it run in the background to see if you can pick up any valid keys. Just because the maximum entropy is in the hundreds of millions, doesn’t mean they might have other flaws (sequential keys, key sizes smaller than the maximum, etc.) Then of course, try to fuzz it as usual (different HTTP methods, null values, numbers, different encodings, etc.)

1 Like

Thank you for your comments @ARKADA, I appreciate the assistance here!