Sign in with your UPS administrator credentials
"status":false →
"status":true
in the server response. The app trusted the client-side value and granted admin access.
| Tracking # | Pickup Location | Return Location | Service | Process Date | Status | Actions |
|---|---|---|---|---|---|---|
1Z999AA10123456784 |
142 Green St, Chicago IL 60601 | UPS Warehouse, Louisville KY | UPS Ground | 2022-02-18 | Delivered | Delete |
1Z999AA10234567895 |
87 Oak Ave, Austin TX 78701 | Sender — 87 Oak Ave | UPS 2nd Day Air | 2022-02-19 | In Transit | Delete |
1Z999AA10345678906 |
531 River Rd, Miami FL 33101 | UPS Store #4821, Miami FL | UPS Next Day Air | 2022-02-20 | Pending | Delete |
1Z999AA10456789017 |
9 Maple Ln, Seattle WA 98101 | UPS Warehouse, Seattle WA | UPS Ground | 2022-02-21 | Delivered | Delete |
1Z999AA10567890128 |
220 Pine St, Boston MA 02101 | Sender — 220 Pine St | UPS Worldwide Express | 2022-02-22 | In Transit | Delete |
The database contains two accounts: admin / admin and support / support@123.
The login endpoint returns {"status":true} for correct credentials and
{"status":false} for wrong ones. The client-side JavaScript reads this
status field to decide whether to grant access —
no server-side session is created or validated.
Use Burp Suite to intercept the login response:
send any wrong password, intercept the response in Burp Proxy, and change
"status":false → "status":true, then forward.
The app grants admin access because it blindly trusts the client-received JSON value.
The real-world impact included access to 1,066 shipment reports containing full PII
(tracking numbers, addresses, service details) and the ability to delete records or change the admin password.