None

During extensive subdomain enumeration, I identified a subdomain inspire.example.com dedicated to collecting website design inspirations. Its core functionality allows users to submit a form with their design idea and wait for an admin review and approval.

But me? I'm supposed to wait for admin approval? No, I had to bypass it.

None

When I examined the endpoints, I found that hitting the publish button resulted in a request to the /example/api_path/publish endpoint with the data {"id":"inspiration-post-id","status":"Denied"}

So I thought — why not just change "Denied" to "Approved" and see if the server blindly trusts it?

None

And surprisingly, the server actually trusted my request without any checks!!!

But when I submitted the report, they closed it as "low" Their reasoning was that the admins review posts regularly and delete them roughly every 20 minutes.

None

So I decided I had to turn this endpoint into something more bounty-worthy and escalate the impact.

So I started digging deeper into the /example/api_path/publish endpoint. I retried the bug, and after the first request returned {"success":true,"newStatus":"Approved"}, I sent the same request again. This time, the server responded with {"success":true,"newStatus":"Unpublished"}. Hmm… interesting.

So I wondered — can I change the ID to any other post and unpublish it? But there was a problem: how was I supposed to get that random ID?

None

So I took my inspiration post ID, published the post, opened its page, and checked the source code. I searched for my post ID to see if it was hardcoded, and surprisingly, I found it inside a variable called Dynamic-page-id.

I swapped my post ID with the victim's ID in the /example/api_path/publish request, and to my surprise, the server accepted it and removed the victim's post. I submitted the report, and I got my Bountyyy!

None

The objective is to interact with the site as a regular user would and learn the core functionality behind every API endpoint. You should understand what could actually impact the company — not just spraying XSS payloads everywhere.

👉 Don't forget to follow me on LinkedIn for more writeups and cybersecurity content!

👉 If you enjoyed this writeup, leave a like and follow me for more hacking content!