Dec 7, 2021
Hacking into Admin Panel of U.S Federal government system C.A.R.S — without credentials.
Hello guys, I hope you’re doing great! This is my first time writing an article about security bugs and I hope you will learn something new in this journey.
Without further ado, let’s dig in.
While I was looking for a program, I came across the U.S General Services Administration program and selected a target : https://cars.fas.gsa.gov/
This is a U.S Federal government system C.A.R.S : Comprehensive accident reporting system designed for personnel to report car accidents in the US.
PS : I have attached below the report in Hackerone which contains a video explaining more the walkthrough of finding the bug.
Walkthrough
I want to mention the only tools I have used are : BurpSuite & Wappalyzer.
As I approach a new target, the first thing to do is reconnaissance.
So I started looking around and navigating through different functionalities and retrieve information about the website, what kind of technologies its using, all the possible endpoints, are there JavaScript files etc…
Hence, I started from the home page which looked like a simple page :
Unfortunately, I couldn’t find much but only presented with an admin panel login.
So I tried clicking on CARS & MARS button but got nothing, and the select field was empty, nothing to do here. So I said let’s checkout the source code of the page.
- To view the source of page : CTRL+U or Right-Click button and View Code Source.
- While looking for some interesting functions, I came across a function called loginchk().
function loginChk() { if (document.forms[0].scSelCen.value ==”admin”) { return true; }
Explanation: the function basically checks if the scSelCen value is “admin” and return true.
This particular field scSelCen was not displayed on the form , so I fired up developer console : F12
And I modified the value of the property “scSelCen” to “admin” : document.forms[0].scSelCen.value = “admin”
Then I clicked on C.A.R.S and got this response :
It says : Invalid login ID/Password, but I got some options to choose ! which was not shown before.
I chose randomly any value “6MAB” and clicked again on C.A.R.S
And voila ! Got logged in into the system.
I reported it right away and it got fixed within 1 week.
Takeaway
Always do your reconnaissance and information gathering pretty well on the target.
Reviewing JavaScript code and understanding its functionality is really crucial part of hunting on web application.
Like in our example here, we got access by only reading 1 line of JavaScript code!
— — — — — —
Report : https://hackerone.com/reports/1063298
Thanks for reading this blog, If you find it valuable then give an applaud 👏👏.
Follow me & Share this blog with your friends and other community.
Till then keep learning keep exploring!
Peace ✌!
If you have any question , feel free to dm me.
My social medial accounts -
Twitter — https://twitter.com/imjungsuu
LinkedIn — https://www.linkedin.com/in/hazem-brini/
