Account takover of an online casino

2 weeks ago 24
BOOK THIS SPACE FOR AD
ARTICLE AD

abdelilah

Hi, I’m an 18yo security researcher and bug bounty hunter from Morocco. Here’s a story about how I almost took over an entire online casino’s player base out of boredom.

About a year ago, I found an online casino, (let’s call it hackedcasino.com). After gambling with fake money for an hour, I got bored and decided to hack it. Even though they didn’t have a bug bounty program, it made a great story.

I started by gathering subdomains of the website

subfinder -d hackedcasino.com -all | httpx -sc -td -location

I found 22 subdomains and used Aquatone to quickly screenshot them. Most were affiliates, investors, or admin panels requiring authentication nothing interesting. But lp.hackedcasino.com, returned a 404 page which caught my attention.

screenshot of https://lp.hackedcasino.com/

The site didn’t load any custom js so i decided to fuzz it for endpoints

ffuf -w custom.wlist -u https://lp.hackedcasino.com/FUZZ -ac -recursion -c

1 — Admin dashboard

There was exposed admin panel with no authentication on endpoint lp.hackedcasino.com/admin

Image of dashboard for managing affiliates

The purpose of the dashboard is for admins to create an affiliate landing pages. When someone (like TestAffiliate) wants to join, they contact the admins, who then go to lp.hackedcasino.com/admin to create a landing page like www.hackedcasino.com/TestAffiliate.

With access to this dashboard, we can do administrative actions, such as editing, deleting, and duplicating.

2 — XSS

I tried creating a new landing page, then i discovered an input i that seemed vulnerable to XSS, i decided to test it

Creating a new affiliate landing page with javascript

Visiting our newely created landing page, shows that our XSS ran successfuly, meaning we can run javascript on behalf of authenticated users visiting our landing page and extract they’re cookies

Great success!!1

I tried editing the affiliate landing page i created and noticed each one had a numeric value, like affid=819, affid=820, affid=821. My first thought was to edit each landing page (1, 2, 3, 4… 821) to make it run custom JavaScript upon load to steal cookies. However, modifying all 821 landing pages could break some, so I stopped and decided to report it instead.

I got no response from the company, but fortunately, it looks like they’ve now implemented authentication.

I also got RCE using file upload combined with path traversal, and i could of manipulated/deleted all games on the website, but thats a story for another day.

Always Fuzz 404 pagesAlways dig deeper, if an admin dashboard is exposed, it means no other reasercher found it, so intresting bugs will be there

Thanks for reading

https://x.com/bug_abdelilah

Read Entire Article