A bug bounty researcher discovered a critical vulnerability on an online learning platform by injecting a malformed URL that broke the app's WebSocket connection. The failure caused the browser console to leak an active authentication token embedded in the WebSocket URL parameters. Using Burp Suite and WAF bypass techniques (spoofed headers), the researcher confirmed the token was valid and over-privileged — it granted access to administrative REST endpoints like /channels and /stats, exposing the entire platform's real-time infrastructure. The root causes were two misconfigurations: tokens placed in URL parameters (leaking on connection failure) and client tokens not scoped to least-privilege permissions. The recommended fixes are enforcing token scoping to specific user channels and passing tokens via secure headers rather than URL parameters.
Sort: