Loyalty redeem endpoint ownership check eksikti baska musteriyi redeem ettim — QQ F2 (PR #551)

Izmir Bornova 33-yas bagimsiz bug bounty hunter Pelin 5-yil HackerOne TR top-10 payment + loyalty + customer-side data flow security uzmanlik @pelin-bb HackerOne disclosure + Turkce research blog. Q1 2026 thMenu acik-kaynak repo customer-side loyalty redeem flow audit Pro+ tier musteri Loyalty Points birikimi reward kupon redeem POST /api/loyalty/redeem body loyalty_member_id + reward_id Stripe coupon code donduruyor. Endpoint kodunda loyalty_member_id body'den alinir customer-side authentication / session ownership check yok customer JWT bearer var ama owner_id × loyalty_members.customer_id cross-check eksik authentication endpoint gecmis ama authorization ownership check eksik. Tehdit modeli attacker legitimate customer profile target customer loyalty_member_id URL leak profile share screenshot kendi JWT baska loyalty_member_id POST server balance dusurur Stripe coupon issue victim puanlari attacker eline. Lab repro 2 hesap A 500 puan biriktir B loyalty_member_id hazir A JWT POST loyalty_member_id A reward cheap reward 200 OK puanlari dustu Stripe coupon A expected. Sonra A JWT POST loyalty_member_id B reward cheap reward 200 OK B balance dustu A Stripe coupon cross-customer redeem. Senaryo Diamond hotel restaurant QR scan loyalty join birkac hafta restaurant network tab JWT decode loyalty profile fetch her musteri loyalty_member_id topla redeem kendi kupon silent exfiltration. Writeup CVSS 7.8 HIGH privilege escalation + financial theft Stripe coupon issuance fix SELECT customer_id ownership match + atomik balance deduct + audit log. Engineering 30 dakika reproduce 3 yanlis teori (1) loyalty_member_id UUID v4 unpredictable dogru ama yetersiz UUID URL network responses QR scan flow observable authorization yokluk sansa attacker bilir degil aktif sosyal muhendislik vektor; (2) customer JWT zaten loyalty member ID encode yanlis customer_id ile loyalty_member_id farkli identifier 1:N relationship customer multiple restaurant loyalty member JWT customer_id loyalty_members.customer_id reference ownership cross-check explicit; (3) rate-limit enumeration engelliyor PR #311 IP hash 15/dk shipped tek victim 1 redeem yeterli rate-limit bulk enumeration yavaslatir tek-target bound'lamaz. Dogru fix ownership match SELECT + atomic balance deduct + structured audit log. Adli analiz apps/web-menu/src/app/api/loyalty/redeem/route.ts customerId session.customer_id JWT-validated MISSING ownership cross-check SELECT WHERE id=? customer_id filter yok OWASP API Security Top 10 #1 Broken Object Level Authorization BOLA klasik customer-side authentication ne kimsin authorization bu kaynaga erisimin var mi. Production audit 90-gun customer_id × loyalty_members.customer_id mismatch 0 attack pattern legitimate ownership ama door acik Pelin first finder. PR #551 batch QQ F2 3-katmanli fix Layer 1 ownership match SELECT WHERE id=? AND customer_id=? JWT'den 404 Not found OR no ownership enumeration-resistance. Layer 2 atomik balance deduct ownership inline filter UPDATE WHERE id=? AND customer_id=? AND balance>=? meta.changes=0 422 insufficient_balance_or_ownership_failed race-safe + ownership-validated. Layer 3 structured audit log event loyalty_redeem + customer_id + loyalty_member_id + reward_id + amount + caller_ip + result Logpush + Sentry suspicious pattern detection customer_id × loyalty_member_id mismatch retroactive flag. Sibling-surface BOLA sweep monorepo customer-side endpoint /api/loyalty/redeem QQ F2 + /api/orders/[id]/tip PR #326 order ownership + /api/orders/[id]/cancel PR #311 table_session_id ownership + /api/orders/[id]/track table_session_id ownership + /api/customer/profile JWT customer_id WHERE + /api/wishlist/add JWT customer_id PR #351 + /api/promo/apply order_id ownership. Pelin single BOLA case engineering BOLA prevention checklist doc'a yeni customer-side endpoint authentication + authorization cross-check zorunlu. Production audit 0 attack ilk discovery Pelin €2500 Wise CVSS 7.8 + Hall of Fame + advisory board priority seat HackerOne Bornova ilk top-10 disclosure thMenu Turkiye bug bounty pazarinda ilk top-tier disclosure ekosistemi Bornova AppSec topluluk reference 3.4k. Mikael Helsinki Kallio 36-yo 8-yr HackerOne Nordic top-5 fintech specialty paralel disclosure €2500 LinkedIn 5.4k Nordic bug bounty market top-tier ekosistem. Pattern customer-side endpoint authentication YETERLI DEGIL authorization ownership cross-check ayri layer SELECT WHERE customer_id JWT + UPDATE inline filter customer_id + 404 enumeration-resistance + structured audit log canonical OWASP API #1 BOLA. Implementation customer-side endpoint identify + JWT customer_id session okuma + SELECT WHERE id=? AND customer_id=? + UPDATE inline filter atomic + ownership + race-safe + 404 enumeration-resistance + structured console.log audit + Sentry suspicious + PR template checkbox + quarterly BOLA audit. PR #551 referans.

İlgili makaleler