¶ Introduction
It's been a couple of years since I last did any bug hunting, mainly because I haven't had enough time to focus on it. However, this week, I decided to give it a shot to measure my skills – lol. I discovered that one company had announced a new target a couple of weeks ago. So, I decided to take a look, especially since no one had reported any vulnerabilities related to this new target yet. The focus area for this new target was to bypass the authentication mechanism and access any protected pages.
¶ Authentication
The first step was to check the application and understand how it handles its authentication mechanism. The application allows users to log in using either an email address and password or Google authentication, as shown below:
However, the Google authentication was the only method that worked, as the other method seemed broken. When I tried to log in using Google, I ended up with an error stating that I was not authorized to access this resource.
¶ Vulnerability
While going through the JavaScript files, I came across one that caught my attention. One of the functions was trying to retrieve an access_token from local storage and grab the user's roles, whether it's a USER or ADMIN, as shown below:
},
const e = this.localStorageService.getItem(o.LOCAL_STORAGE.access_token);
e ? this.login({
isAuth: !0,
access_token: e,
role: o.ERoles.USER
[...]
if (t.access_token) {
const e = a.ERoles.USER;
s.login({
access_token: t.access_token,
role: e,
isAuth: !0
})
I decided to ask ChatGPT to generate a dummy JWT token with an admin role, then store the value in local storage and refresh the page.
Once the page loaded, the following was observed:
TADA! I had access to the dashboard and other routes available in the system.
¶ Conclusion
This bug hunting adventure was a fun and insightful experience. Using a dummy JWT token with an admin role, I bypassed the authentication mechanism and accessed the dashboard and other protected routes. This shows the importance of securely handling tokens and implementing strong authentication mechanisms to protect sensitive areas of an application. Happy hunting!
¶ Protect Your Business
Building a system, website, API, or application? Handling sensitive information or concerned about security? Whether you’re planning a launch or already live without considering security, it's crucial to prioritize protection. Worried about your personal security? Reach out at security@wizoutsugar.nl, and let's safeguard your business together!