Shlomie Liberow

I’ve been training LLMs to recognise vulnerability chains and revisiting my favorite bug bounty reports to understand what patterns they can be taught to spot. Let’s look at this example of a ticketing platform's booking flow that leaked millions of PII records. This wasn’t  a zero-day or some sophisticated exploit, but a combination of  4 separate bugs that any decent scanner might find and file as Low/Medium severity. However, in combination, potentially genuinely damaging. ━━━━━━━━━━━━━━━━━━━━ Bug #𝟭: 𝗧𝗵�� 𝗔𝘂𝘁𝗵𝗲𝗻𝘁𝗶𝗰𝗮𝘁𝗶𝗼𝗻 𝗔𝗻𝗼𝗺𝗮𝗹𝘆 (medium severity) Most of the ticketing platform’s site used cookies, but the booking API switched to a custom header for user identification. Whenever auth does something unexpected, you want to pay attention. I was able to change the header to a different user's ID and see their data, although only partially, it was missing emails and other fields. This bug demonstrated a routing issue, but incompletely. ━━━━━━━━━━━━━━━━━━━━ Bug #𝟮: 𝗧𝗵𝗲 𝗣𝗮𝘁𝗵 𝗧𝗿𝗮𝘃𝗲𝗿𝘀𝗮𝗹 (medium severity) The ticketing platform’s API ran on Apache, which handles file paths in specific ways. I sent ../../../../api# as the header value - telling the server "go up four directories" and ignore everything after the #. The response changed timing and structure. It worked, but blindly - I was moving through directories but couldn't see where. This bug was confirmed exploitable, but I needed a way to make it meaningful. ━━━━━━━━━━━━━━━━━━━━ Bug #𝟯: 𝗧𝗵𝗲 𝗘𝗿𝗿𝗼𝗿 𝗠𝗲𝘀𝘀𝗮𝗴𝗲 (low severity) I sent an invalid user identifier to a different endpoint on the platform to see what would break. The error response included: "self":"/api/<redacted>/;user={xxxxx}/profile" This leaked the internal path structure - how the system organizes and stores user data. ━━━━━━━━━━━━━━━━━━━━ Bug #𝟰: 𝗧𝗵𝗲 𝗦𝗲𝗾𝘂𝗲𝗻𝘁𝗶𝗮𝗹 𝗜𝗗𝘀 (informational) While testing other endpoints, I noticed another identifier type in the responses, tied to accounts, not users. These IDs were sequential: 3443123, 3443124, 3443125 ━━━━━━━━━━━━━━━━━━━━ 𝗕𝗿𝗶𝗻𝗴𝗶𝗻𝗴 𝗜𝘁 𝗔𝗹𝗹 𝗧𝗼𝗴𝗲𝘁𝗵𝗲𝗿 For Real Impact Four findings. Four tickets. Different teams. Different severities. But combined, a major breach of PII. Here's the chain: X-User-ID: ../../../../api/<redacted>/;account=3443125/profile# This combines: • Path traversal escapes the directory • Internal structure from the error maps the route • Sequential account ID replaces the random user ID • Access control weakness reads the data The result: Full user profile is revealed: name, DOB, address, email, phone, and more. In other words, a Complete database enumeration. ━━━━━━━━━━━━━━━━━━━━ 𝗧𝗵𝗲 𝗣𝗮𝘁𝘁𝗲𝗿𝗻 A scanner may find these issues in isolation but can't see that Medium + Medium + Low + Info = Critical breach. This is the direction LLMs can work towards with the right context: models that recognize not just individual bugs, but the investigation paths that connect them. #BugBounty #Security #VulnerabilityManagement