Auth Bypass Via Exposed Credentials
How we got there
So it was on one of those days, i was feeling bored and kinda alone. When i feel like this i usually divulge into some hacking
(to fill that void😃)
So off i went to Intigriti and i saw that a program i followed had an update
(funny story was i didn't recall having followed the program but i may have as well did, i get forgetful sometimes)
After checking out the program lets call it xboy why, i found that they had *.xboy.me on scope and they were rewarding bounties for it, upto €1500 for an exceptional bug.
So i said why not, up to this point the highest severity i ever got for my bug was high
(3 times) via payment bypass
(Write-ups below) or Home.
So after i took the domain i headed to c99 Subdomain finder, pasted the domain and clicked start scan
(No other tool you ask[still bored remember]). Found several hundred domains.
Since i new the backend was written under NODEJS i started searching for the NODE_ENV variable. I saw that it had refrence like the following
After seing this i remember visiting https://admin.xboy.me which resulted in a 401 unauthorized error. To test the validity of the auth basic creds i requested the https://admin.xboy.me/favicon.ico which had previously returned a 401 error and this time i got a 200 OK
GET /favicon.ico HOST: admin.xboy.me Authorization: Basic Y2hhdG1ldXA6b250d2l0dGVyMHgwMSEK
I was in and i could see so much information that was clearly not intended for the public. I felt good but was honestly scared a little, that feeling of getting a critical severity bug + being inside a government server was overwhelming at first.
I immediately stopped testing and wrote a report including sceenshots and embedded the vulnerable code snipplet on my report.
- Headed to https://chat.xboy.me/js/index.js
- Searched and found the NODE_ENV values
- Visited https://admin.xboy.me to see 401 error
- Now add the creds chatmeup:ontwitter0x01! with chatmeup as the username & ontwitter0x01! the password
- Now i have access to a lot of data data
- I stopped testing at this point. But i believed an attacker can leverage this to escalate further.
After i found this bug i was super excited and shaking a little because i was in a goverment server viewing so much data.
I had access to internal communications that exposed sensitive information.
So i wrote up a detailed report fast and sent it to the program at intigriti. The report was triaged within 45 mins.
After waiting for two days i recieved a €€€ bounty.