Back to Writing

Diving in JS: Expanding 1 access control issue into 22 paid access control issues

April 13, 2026 / 5 min read
bug-bountywriteupimproper-access-control
Diving in JS: Expanding 1 access control issue into 22 paid access control issues

A deep dive of how I discovered an one improper access control bug and expanded it into 22 bugs.

Initial

So, in 2024, I was hacking on a pretty well-known e-commerce platform part of a HackerOne private program. I spent a week hunting on its seller platform and had already reported multiple authentication and IDOR vulnerabilities. I was quite confident about this asset and had a clear understanding of how everything worked. While reviewing Burp history, I stumbled upon an endpoint responsible for downloading the seller’s bank details used for KYC.

Bug Detection

I discovered that it was a simple GET request with the seller ID included in the request followed by the file name https://sell.target.com/documents/<sellerid>/bank_document with cookies and all in it seems simple but i copied the url and open it in other browser and say what file got downladed because the cookies is not properly authenticated while giving access to the file so this means that if a person can get the seller id which they can get anyway from the item they are selling attacker can download the bank documents of the victim

So i reported this issue and it get accepted in 12 hours.

Expanding the Issue

So, in evening same day I was reading the JavaScript files of the seller platform and performing some endpoint searches there. I discovered an endpoint that carried the stock details of the seller in CSV format. I crafted the URL for it using a valid seller ID and Now i was able to download anyone’s stock details just by knowing the seller ID. That’s when it struck me that I should look for more endpoints of this kind because by now I know that the entire seller platform is vulnerable to this. So, it’s time to look for and enumerate all those endpoints. I figured a common variable of seller_id across all those endpoints. So, I crawled all the JavaScript files of the asset using Burp Suite and Katana. At that time, to search for a word across all the JavaScript files, I wrote a simple Go script that you can find here https://github.com/kartikeyaggarwal/wfind. I ran it with the keyword “seller_id” with simple command

echo "https://sell.target.com"| katana -d 9 -jc | wfind -w "seller_id"

and what i got was 22 hits (Includes the bank one).

Reporting the Vulnerablity

Report of this was gonna be pretty straight forwad with just url endpoint as poc so the intial idea should be to report all 22 vulnerablits in single shot but being automatation hacker before i know this sometimes result in self duplicate vulnerablities so i reported these in group of 5 reports at a time and got paid for all 22 of them.

Hope you like this blog first time writing so can be some error here and there ignore them and keep hacking

~ Kartikey