Sensitive Information exposed in javascript using expired JWT

4 years ago 182
BOOK THIS SPACE FOR AD
ARTICLE AD

arya starkk

Keeping in simple terms, since am also newbie in hacking. If you haven’t come across on how to attack JWT (JSON Web Token), Follow this Hacking JSON Web Tokens (JWTs)

Image for post

Image for post

How did I approach it?

Unlike my previous post, where I could delete the data in the system even if am not part of the organization. This time, with the same logic of using expired JWT I could able to see sensitive information. The approach was, in the marketplace app which I was testing, there were two hosts serving data to that target. One is dedicated to update & delete information. And another one is to display the information. (Two hosts serving same data to target)

What is the Issue

The host which is meant to update & delete is so secure to JWT. So I thought there won’t be any bug. But hosts which fetch the information from the same DB doesn't handle the JWT expiry. which in turn exposes all the information in that account even if am not part of the target

I didn't catch it in the first time since the secured host taught me there wont be any bug in the other host too. When i see the response, it was in long html content with js, css . In that js, the account data was sent in an array. Now i got the clue on how should i dig deep in.

I have the data, what’s next?

Since I have all the private data, I used that vulnerable host more than a hour to POST, PUT, DELETE. But nothing helped me. Since I couldn't able to modify any data, my report was prioritized to P4 and rewarded least in P4 level

Don't skip any calls for the host in the network. Even if its html content, scan the javascript response content. I had learned, most of the tokens (or) information rendered to HTML actions will be kept in javascript

Thanks for your time in reading this.

Happy Hacking !!

Read Entire Article