Back to blog
GRC·Apr 28, 2026·3 min read·Foundation

Rating Limit Bypass via Request Manipulation

First Successful Bug Bounty

Rating Limit Bypass via Request Manipulation

Rating Limit Bypass via Request Manipulation

First Successful Bug Bounty

Summary

I discovered a business logic flaw in a web application’s rating system that allowed submission of values beyond the intended limit of 5. By intercepting the request using Burp Suite and modifying the rating parameter, I was able to submit values outside the accepted range.

This was my first successful bug bounty finding, and it was acknowledged and rewarded by the program.

Vulnerability Type

Business Logic Issue / Missing Server-Side Validation

Affected Feature

User rating functionality

Discovery Story

I was exploring the application with a beginner mindset, trying to understand how basic features work under the hood. The rating system looked simple, but I wanted to see how the request was being sent.

Using Burp Suite, I intercepted the request when submitting a rating. The UI restricted the value between 1 and 5, but I suspected that the backend might not enforce the same rule.

I modified the rating value in the request from 5 to a higher number and forwarded it.

The request was accepted.

That moment confirmed the issue. It was a simple test, but it led to a valid vulnerability. This became my first successful bug bounty submission.

Steps to Reproduce

  1. Log in to the application.

  2. Navigate to a feature where ratings can be submitted.

  3. Select a valid rating (for example, 5).

  4. Intercept the request using Burp Suite.

  5. Modify the rating parameter to a value greater than 5.

  6. Forward the request.

  7. Observe that the application accepts the modified value.

Expected Behavior

The application should enforce server-side validation and reject any rating outside the allowed range.

Actual Behavior

The application accepted ratings beyond the maximum allowed value when the request was modified.

Impact

This issue allows manipulation of the rating system. An attacker could:

  • Submit artificially high ratings

  • Distort analytics and feedback

  • Affect rankings or trust indicators

While it does not directly impact security or confidentiality, it affects data integrity.

Root Cause

The backend did not validate the rating input. The system relied only on client-side restrictions, which can be bypassed easily.

Recommendation

  • Implement strict server-side validation for rating values

  • Restrict input to a defined range (for example, 1 to 5)

  • Reject invalid values with proper error handling

  • Log abnormal inputs for monitoring

Severity

Medium

Outcome

The issue was reported through the bug bounty program.
The report was acknowledged, validated, and rewarded.

This was my first successful bounty, and it reinforced an important lesson:

Even simple features can contain real vulnerabilities when backend validation is missing.

Key takeaway

Strong security and GRC work is structured thinking: understanding the risk, choosing the control, and communicating it clearly enough that others can act on it.

Related topics

GRC

Ready to test your understanding?

Take a short quiz connected to this topic and turn the article into active practice.

Take quick quiz