So let's jump into details about these 2 bugs, that chained could lead to 0-click account takeovers.
IDOR Find
I noticed that for editing company details the request endpoint is like
Method PUT, so I 1st copied from Network tab the request as curl (right click -> 'copy as cURL')
Then pasted the request in gedit (GNU text editor) , modified it, I removed cookies, as there was authorization headers, to check if the authorization is actually by token (I do it just for my knowledge on app, and to keep reproduction steps at it's minimum later).
Then, I modified from PUT to GET request, (removed -X PUT)
Send => And wow, my details come back.
So of course what I tried next was to try with other users id, as I may be the last user, I usually like to -1 from my user id.
And BOOM => Other users P2 showed up, this was very good IDOR.
After I also checked the PUT, but it was not vulnerable to IDOR (there is also DELETE, I should check that to, and my friend recommended try maybe with PATCH. I'll check it too).
Okay so the IDOR find we covered, and just to tell beyond some juicy info, there were also user_id/email leaked in P2 response, and this is key part to my further chain.
Finding the LFI
What I checked was, simply uploading company pfp (profile image), and after checking it's URL.
And the URL was something like this
api/upload/<imageprocessorpath_here>/<date_in_js>-imagename.png
And I actually know by exposed headers that server runs on Node JS (Express).
I think there could be other indicators as well, anyways.
I tried writing non existing paths, and saw
{"error":"File not found"}Which tells me, that hey, the application seemed to load the file ??
And I tried like, /.env nothing, then ,
api/upload/<imageprocessorpath_here>/..%2f.env
and errors showed up
(later I figured out *my opinion tho* , that to .env we don't have read permissions)
(NOTE: we use '%2F' as if we used '/' the server would threat everything after as route)
But however the change in response, was already a big RED FLAG, indicating something is gonna pop up sooner.
And so I continued testing, and as the backend is Node, I tried
/index.js ==> nothing
api/upload/<imageprocessorpath_here>/..%2findex.js
AND BOOM !!
I could see all the backend code.
And as a offsec enthusiast, I looked for quick Impact, I digged a bit, I knew the app used JWT, so looked for the jwt signing key.
Looking in top, what is required
index.js => /routes/index.js => /auth/index.js
Oh finally, ctrl+F look for jwt, found it
const token = jwt.sign(
{ id: user.id, email },
"REDACTED",
{
expiresIn: "redacted",
}
);Okay, I redacted the JWT token, but let me tell you it was 5 digit number.
SIGHH ! We could brute-force the key also.
(never tried so idk if there are any nuances, but should work am sure, and should add this in my worklfow !!)
Okay, let's takeover anyone's account, let's start from ours as a responsible security researcher !)
So, I asked AI quick code to sign JWT, he gave me in python
import jwt, time
payload = {"id":redacted, "email":"sevada797@wearehackerone.com", "exp": int(time.time()) + REDACTED_time}
secret = "REDACTED"
token = jwt.encode(payload, secret, algorithm="HS256")
print(token)Now, before me going crazy,
I just tried quick checking how to auth normally, using cookies or storage etc.. session items.
I quick looked up the token was in local storage (also I can doko('STRING') from JS4hacking, my JS extension hehe)
Tried, putting only my token from valid session, in Incognito
like
localStorage.setItem("<token_key>","<my_token>")
Reloading => I was logged in & redirected to dashboard.
So now I just did same, closed reopened Incogntio or just logged out,
and then pasted what I got after I ran the above python code as token value in Local Storage.
And ta-da, I can login to any users account, by chaining previous IDOR, getting the user_id & email => JWT token crafting as we know secret.
This is interesting attack vector, and I think it highlights how JWT trust alone can be compromised, by attackers via LFI.
That was it hope you liked it guys, keep learning !
PS: I hope I didn't miss any important part, if you have questions feel free to ask in comments section.
And if you're a bug bounty hunter I am open for new connections, (my h1: hackerone.com/sevada797)