Hacking Web Meeting/Webinar App
Hello Community,
This article is about the Web meeting App, which i was invited as a part of their private program. This was the first time that i was testing web meting app.
As usual, I started playing with the functionalities and inspecting the traffic. As this is the real time traffic Majority of the functionality was over Web Socket.
I would recommend below link to understand how to inspect and play with the web socket traffic
I found two access control Bugs while testing this app, which i have described below
Bypass Public chat restriction
This was the Web meeting app and it has two roles Presenter/Meeting Admin and attendee. As per below screenshot Presenter could set webinar option to allow only Private chat.
Using the Presenter account i enforced private chat only in webinar.
Now i joined as attendee in another browser and as expected i was only able to send chat to presenter.
I sent message to presenter and intercepted that websocket request which contained parameter “isPrivate” with value true. I set the parameter value to false and forwarded the request as below
Request went successful and our chat message was delivered publicly. Using this vulnerability any attendee could bypass private chat restriction and send the Public Chat.
Shared File Delete
There was another functionality which allows Presenter to upload file and share.
As a presenter , I uploaded and shared file as per below screenshot
In another browser, I was logged in as an attendee and was intercepting all the traffic. Observing that reveled content id of the file shared by Presenter. so i sent one of the websocket request from the attendee traffic to Repeater and updated it with below request
Above request went through and file shared by presenter got deleted by attendee.
Using this Vulnerability any attendee could delete file shared by Presenter/Meeting Admin.
