Hey everyone, today I'm going to be sharing a story about how I was able to take over an account without any user interaction due to one misconfiguration in the guest login.
Without further ado, let's get started. The web application under study is a type of bus ticket booking platform. I could book tickets by creating an account, and I could also book tickets as a guest user by providing an email address.
The victim's email address is [email protected] and she has an account in the web application.
I also have an account there. After logging in with my email address and password, I found an API endpoint that provides all my data via a GET request and a JWT.
At first I decoded this JWT as some kind of identifier, but it is difficult to crack.
I tried to find a way to use this JWT, but without success. I logged out and tried to book a ticket without logging in. When I tried to book a ticket, it asked me to log in.
I simply clicked the "Continue as Guest" button and entered a random name and the victim's email address.
В ответ я получил JWT жертвы.
{"code":10001,"result":"success","msg":"","output":{"user":{"firstName":"hacker","lastName":"","email":"[email protected]","guest":true,"userName":"[email protected]","countryCode":"","mobilePhone":"","gender":"string","promoEmail":true,"promoMobile":true,"reserveNotification":true,"arabic":false,"cardNumber":"","memberid":"","balance":"","balanceInCent":0,"userId":"","city":"","experienceIconUrl":"","needLogin":false,"dob":null,"tokens":{"access":{"token":"eyJhbGciOiJIUzI1NiJ9.eyJzdWIiOiJDMUZwdFdNREw0Yz0iLCJpYXQiOjE3MDczNzc4MDgsImV4cCI6MTczODkxMzgwOH0.4hZ0jfMyFeNhNqp__6e8yK3pBsjZrVuPGN-oLMoIWo4","expires":"2025-02-07T07:36:48.738+00:00"},"refresh":{"token":"eyJhbGciOiJIUzI1NiJ9.eyJzdWIiOiJDMUZwdFdNREw0Yz0iLCJpYXQiOjE3MDczNzc4MDgsImV4cCI6OTI1MzEwNTc4MDh9.Gc5Zx-MWT0Th65s0L_l0x6RNknsWPwCCtm3WWFDwKdA","expires":"4902-03-12T07:36:48.753+00:00"}}}}}
After copying the JWT and going to the request where I was testing the /getprofile API, I replaced my JWT with the new one...
Now, with this JWT token, I have access to all APIs and can perform any actions as the victim user. I was able to book a ticket on behalf of the victim.
Without further ado, let's get started. The web application under study is a type of bus ticket booking platform. I could book tickets by creating an account, and I could also book tickets as a guest user by providing an email address.
The victim's email address is [email protected] and she has an account in the web application.
I also have an account there. After logging in with my email address and password, I found an API endpoint that provides all my data via a GET request and a JWT.
At first I decoded this JWT as some kind of identifier, but it is difficult to crack.
I tried to find a way to use this JWT, but without success. I logged out and tried to book a ticket without logging in. When I tried to book a ticket, it asked me to log in.
I simply clicked the "Continue as Guest" button and entered a random name and the victim's email address.
В ответ я получил JWT жертвы.
{"code":10001,"result":"success","msg":"","output":{"user":{"firstName":"hacker","lastName":"","email":"[email protected]","guest":true,"userName":"[email protected]","countryCode":"","mobilePhone":"","gender":"string","promoEmail":true,"promoMobile":true,"reserveNotification":true,"arabic":false,"cardNumber":"","memberid":"","balance":"","balanceInCent":0,"userId":"","city":"","experienceIconUrl":"","needLogin":false,"dob":null,"tokens":{"access":{"token":"eyJhbGciOiJIUzI1NiJ9.eyJzdWIiOiJDMUZwdFdNREw0Yz0iLCJpYXQiOjE3MDczNzc4MDgsImV4cCI6MTczODkxMzgwOH0.4hZ0jfMyFeNhNqp__6e8yK3pBsjZrVuPGN-oLMoIWo4","expires":"2025-02-07T07:36:48.738+00:00"},"refresh":{"token":"eyJhbGciOiJIUzI1NiJ9.eyJzdWIiOiJDMUZwdFdNREw0Yz0iLCJpYXQiOjE3MDczNzc4MDgsImV4cCI6OTI1MzEwNTc4MDh9.Gc5Zx-MWT0Th65s0L_l0x6RNknsWPwCCtm3WWFDwKdA","expires":"4902-03-12T07:36:48.753+00:00"}}}}}
After copying the JWT and going to the request where I was testing the /getprofile API, I replaced my JWT with the new one...
Now, with this JWT token, I have access to all APIs and can perform any actions as the victim user. I was able to book a ticket on behalf of the victim.
