Exploiting JWT Token Leads To IDOR

Hi, Ajak Amico’s welcome back to another blog today. In this blog, I will show how I found an IDOR vulnerability by exploiting JWT token, this specific attack can unsubscribe users from marketing email without users interaction so Before starting, if you haven’t subscribed to our channel, do subscribe, guys. Contents related to cyber security, Bug Bounty, and Digital Forensics Investigation.

Follow our Youtube Channel: @ajakcybersecurity (360 Videos)

Follow on Instagram: AjakCybersecurity

So I used this google dork to find the a specific target

inurl: responsible disclosure Intext: blockchain

Target Name: flow.com

This Google dork will fetch you all VDP programs related to blockchain, so I just randomly went to a website (flow.com). Upon entering, the first thing which popped up in the browser was ‘Subscribe to newsletter’.

After entering my email, I was redirected to my account hosted by Substack. Upon subscribing to the newsletter, I received an email from the target, saying ‘You are now subscribed,’ similar to the screenshot below.

Yeah, I know it’s time to play with the ‘unsubscribe’ button. I copied the link and pasted it into a new window to see the URL request, and it redirected me to my account settings page. This is how it looked.

Now I fired up my Burp Suite and captured the request to analyze the endpoints, as shown in the screenshot below.

As you can see, there is a token that starts with ‘ey’. If a token starts with ‘ey’, then we can confirm that the encryption is done via JWT (JSON Web Tokens). Before decoding this token, I tried changing the publication ID to check for any unusual responses, and it threw me a 200 Response with ‘OK’, like below 💀.

So, immediately I created another account, subscribed to flow.com, and after hitting unsubscribe and capturing the request via Burp, I noticed that it was the same publication ID for both accounts 🤡. So, the publication ID refers to some other API.

Okay, now it’s time to exploit this JWT token. To do this, I used the https://jwt.io/ site. I simply copied my entire token and pasted it into the encoded column. The response looked like this:

So you can notice that we can see “User_Id” as one of the parameters to exploit IDOR 🗿. I made this as “Account-1”.

Now, I simply changed the USER_ID from 168312 to 168313 (a random user). Then, my JWT token was updated accordingly to reflect the change to user 168313. I copied the new JWT token, captured the request, deleted the JWT token of USER_ID 168312, and pasted the JWT token of USER_ID 168313. After forwarding the request, to my surprise, it showed me a 200 response {} like in the screenshot below.

When I checked my browser, my mail listing didn’t get unsubscribed, which means it got unsubscribed for user_ID 168313, which was a random user, as shown below.

Now, to cross-check this, I logged into my second account and captured the request. I pasted it into the JWT decoder and noticed my User ID, making a note of it. Then, I copied the JWT token for my second account.

Now, I logged in via my first account and pasted my second account’s JWT token. After forwarding the request, it showed a 200 status code, and my first account’s marketing email was not subscribed. Then, I logged out of my first account and logged into my second account. To my shock, upon checking the browser, my marketing email was unsubscribed for my second account, as shown in the screenshot below.

So, which means I can unsubscribe any random users from marketing emails just by manipulating the User_ID from the JWT token. I confirmed the IDOR flaw and made a detailed report to the organization. I was too excited for the response since it was a blockchain site. Unfortunately, it was out of scope since it was hosted by a third-party domain, which was Substack. Anyways, I enjoyed exploiting this, so I will see you in the next blog! Cheers :) have a lovely weekend chads.❤️

— — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — —

Hope you would have learned some information from this blog if so, kindly press that follow button for further updates. Best wishes from Ajak Cybersecurity.❤️

“கற்றவை பற்றவை🔥”

Learn Everyday, Happy Hacking 😁🙌

— — — — — — — — — — — — — — — — — — — — — — — — — — — — — —

Follow our Youtube Channel: @ajakcybersecurity

Follow on Instagram: @ajakcybersecurity