Hello Awesome readers 👨‍💻✌✌,

Here is my 6th writeup I will explain how I was able to change user metadata via auth JWTtokens leakings from the waybackurls logs and video POC available at last of writeup.

let’s get started,

Don’t worry I will not use redacted.com 🤣 so first visit hacktoberfest.digitalocean.com and link your account to GitLab or GitHub.

Now simply capture the profile in burpsuit and check for the request dealing with users metadata and send it to the repeater as a backup as shown below.

Now in the request, you can observe that for authorisation only JWT is been utilized in the Authorization header and authorisation jwt already contain a user ID in the payload section as shown below:

you can use jwt.io for analysing the jwt

It means we just need a way to find/build these tokens in order to change user/victim account meta information.

At this point, I tried some google, Github dorks but nothing works after when I used the waybackurls tool.

easy command:

waybackurls hacktoberfest.digitalocean.com

I found URLs in the Wayback where users auth JWT tokens are being used like shown below:

as shown above, in the jwt analysing section I can easily get user_id in the JWT payload part and can be used in the request now.

Now when I used this JWT and user_id in the Authorization header and request URL endpoint respectively then my request got a 200OK response and victim metadata got changed.

and I even demonstrated it with a sample victim account it was working as same as with waybackurls JWT samples.

see the video for a better clear vision of the vulnerability:

This POC shows the power of chaining multiple vulnerabilities and why reconnaissance is important sometimes.

Thanks for watching the POC 😍.

subscribe to my channel here 👩‍💻: subscribe__here

connect me via LinkedIn: https://www.linkedin.com/in/anurag-verma-650b771a2

connect me on Instagram: varmaanu001