Hi everyone, I am Rahul from IIIT-Allahabad . Hope you are doing good in this pandemic. Recently I have started exploring the fields of cybersecurity/web-application hacking. This is my first blog and here i will be demonstrating how i was able to gain unauthorized access to all the user’s account and can see all their data. (In simple terms i was able to hack into anyone’s account without knowing their password).
Lets dive into the process . Below is the login portal where it asks user to enter user id and password.
I have observed that usernames of all the users are in fixed pattern.
So the usernames will look something like : *******001, *******002, *******003, etc .. and passwords are unique for every user.
First i have created 2 accounts(Victim account and attacker account). Now i have entered attacker’s username and password and checked the response of this request using burpsuite. It looks something like this :
If you observe the response from the server clearly , it is sending JWT (JSON WEB TOKEN).
WHAT IS A JSON WEB TOKEN?
A JSON web token(JWT) is JSON Object which is used to securely transfer information over the web(between two parties). It can be used for an authentication system and can also be used for information exchange. The token is mainly composed of header, payload, signature. These three parts are separated by dots(.)
After decoding the jwt token i have found out that its sending userid.
Here in payload data you can see attacker’s username as *********2. Now i have changed the payload data username to victim’s username and got new jwt token and i replaced it with my token in the response and forwarded the response to the browser to check if i am able to login to victim’s account or not. But as soon as i replaced and forwarded the response, browser showed victim’s username only but was not able to login completly , but i am sure that there is some misconfiguration here. So i tried the process from step 1 again to check the response. This time, before forwarding the response to browser i have changed the username to victim’s username in the browser itself. Check in pic below :
Here i have changed the username to *******106 and forwaded the response to the browser and as expected the server was vulnerable to lack of validation and response manipulation. I was able to login to his account. Check the screenshot below where i was able to see all his details and logged into his account.
Successfully acheived the mission . Hacked into victim’s account.
Note : I have reported it to the organisation on 08–10–2020 and within hours it was fixed.
Hope you enjoyed my blog.
Bugcrowd profile : https://bugcrowd.com/Agathamudi_Rahul_Naidu
Linkedln profile : www.linkedin.com/in/AgathamudiRahulNaidu