Image for post
Image for post

Object name Exposure — ING Bank Responsible Disclosure Program

Rohit kumar
Nov 8, 2018 · 2 min read

Heading: Object name Or Internal Architecture Getting Exposed because Of Deserialisation Error

NOTE: Usually i only copy/paste my conversation in medium am not having enough time to write these blog posts properly i am sharing this only for learning purpose not for earning my followers. 😐 👊

Hi, I am Rohit Kumar a Security Researcher and Bug Hunter from India.

Vulnerability: Information Disclosure & Internal Architecture Disclosure

— — — — — — — — — — — — — — — -

Reproduction Steps

— — — — — — — — — — — — — — — -

1. Login into => https://developer.ing.com

2. Now go to your Profile for Updating it

3. Edit your name and save it (At this step intercept your request using burp suite)

4. Now, At this endpoint

PATCH /individuals/791345bc-9444–4edc-9955–1b78e86fddfd/individualNames/EifQPFiEYfMiU- 3FODj3sT736QkPuGe4nigpckH2fEqkaitoTfuLjGG3Lu9UDN84DDCkrGf0y8Lx89HLHcUrFfcb HTTP/1.1

Host: api.developer.ing.com

You will notice a json text in request body like this

{“individualName”:{“lastUpdateUser”:”external-id-means”,”firstName”:”Geeky bbc”}}

5. Now, Change “firstName” key to anything like “test”. So, final request body will be like

{“individualName”:{“lastUpdateUser”:”external-id-means”,”test”:”Geeky bbc”}}

6. Now, forward or repeat this request. it will throw a error

Unrecognized field “test” (class com.ing.tpa.onepam.exchange.model.IndividualName), not marked as ignorable (11 known properties: “startDate”, “lastName”, “salutation”, “endDate”, “type”, “firstName”, “secondName”, “links”, “lastUpdateUser”, “initials”, “_links”])

at [Source: (org.glassfish.jersey.message.internal.ReaderInterceptorExecutor$UnCloseableInputStream); line: 1, column: 65] (through reference chain: com.ing.tpa.onepam.individual.json.model.IndividualNameInputMessage[“individualName”]->com.ing.tpa.onepam.exchange.model.IndividualName[“test”])

Image for post
Image for post

7. Now, you can . see this is exposing field names, internal object names and architecture.

Few more information

Now, here in this report i would also like to mention that i reported one more vulnerability before this which was received by you on 30 August 2018.

I sent you snapshots of PoC and after receiving that report you guys Rejected it and mentioned that this is false positive and this bug not exist. Now, tell me if its false positive how i reproduced it? Lets say my snapshots are fake okay? Now, tell me how i am able to insert 7 lakh characters into your database and i am having strong proof you can check my developer.ing.com account you will get dozens of app created by me which is having around 6 lakh characters. I reported it ethically but i don’t believe you guys are doing it in ethical way.

We should do our own work ethically. If your community will behave ethically everyone will behave ethically.

Thanks,

Rohit Kumar

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store