Partially though.
Hello people, this is a story about how I found a vulnerability that enables an attacker to escalate his privilege on the web application and access sensitive data.
Little Bit of Background:
Let’s understand about the target application, this coding training platform developed by a startup and is a react based application that communicates with its backend via API and mongoDB for database probably completely built with MERN Stack. How do I know about this platform?
Well I’m at my final year of engineering and my college conducted a placement training session where the trainers from this startup handled that session and they provided us with this platform for coding practice.
Application Flow:
As I started exploring this platform for some times, I got some interesting findings like:
- JWT Token stored in Localtorage
- API endpoint
- Found User Roles like “STUDENT”, “ADMIN”, “FACULTY” via Source code Review.
With this I started analyzing the application workflow with Burpsuite. The flow of the application is like:
- First check for the JWT Token in the LocalStorage.
- If token available it makes a request to the API endpoint: http://IP:8080/api/auth/currentuser. which returns the currently authenticated user details including role of the user.
- With this user details the application renders the UI for the user.
Initial Request:
Initial Response:
Student Dashboard:
The Vulnerability:
Note the API endpoint that returns the user details? that user details includes the role of the user, like my account has the role of STUDENT, but when changing the role to some other Roles like ADMIN or FACULTY presents us with that respective UI and options. now you might think that “It is the intended behaviour since it is a single page application, what’s wrong in it?”.
Well the actual vulnerability lies in the API. during the data fetching operation(GET) the user is not properly validated for the authorization to perform this action. hence it results in access to sensitive information that is only accessible for privilege roles like ADMIN or STUDENT.
As I said in the beginning this gives only partial privilege, that is I can only access the information but can’t modify any information because on POST request the API properly validates my role and returns 401(unauthorized) response.
Modified Response:
Upon changing the above highlighted key “role” from STUDENT from ADMIN results in:
Admin Dashboard:
Conclusion:
Are you expecting me to reveal the bounty for this vulnerability? well I got 0$ 😂 because this platform has no bug bounty program and I tested on it without permission (illegally) but I reported this vulnerability to that company let’s see if they fix it.
The moral of the story is bug bounty is highly competitive and for beginners it his hard to find their first valid bug, it makes them loose motivation. same applies for me so whenever I feel like I need motivation I start testing on some random site and find bugs this keeps me motivated and continue doing bug bounty.
See you with another writeup.